Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.PackedNET.645.19369.30388

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.PackedNET.645.19369.30388 (renamed file extension from 30388 to exe)
Analysis ID:	385412
MD5:	9a8808e03b68e5c7a6b92389cf523684
SHA1:	a9156e69f05b27350444aa07228d4aa15799484c
SHA256:	1cdb81091d98d217a4cdc8c570df9178e797af21a9d4b1bc39c49766322ae4bf
Tags:	AgentTesla
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

SecuriteInfo.com.Trojan.PackedNET.645.19369.exe (PID: 5668 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe' MD5: 9A8808E03B68E5C7A6B92389CF523684)

schtasks.exe (PID: 2392 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YoNupIfnI' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A35.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SecuriteInfo.com.Trojan.PackedNET.645.19369.exe (PID: 2396 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe MD5: 9A8808E03B68E5C7A6B92389CF523684)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "wnahhas@alshareef-org.co@Sweden2020.,mail.privateemail.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.479609173.0000000002DA5000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.474023127.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.244321688.0000000003B89000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.479367965.0000000002D79000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 2396	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 2396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 5668	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 5668	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.3cf7ef8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.3cf7ef8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YoNupIfnI' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A35.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YoNupIfnI' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A35.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, ParentProcessId: 5668, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YoNupIfnI' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A35.tmp', ProcessId: 2392

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.3cf7ef8.3.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "wnahhas@alshareef-org.co@Sweden2020.,mail.privateemail.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\YoNupIfnI.exe

ReversingLabs: Detection: 33%

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

ReversingLabs: Detection: 33%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\YoNupIfnI.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Joe Sandbox ML: detected

Source: 3.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04A68680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04A68673
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04A693E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04A693F0

Source: global traffic

TCP traffic: 192.168.2.3:49710 -> 198.54.122.60:587

Source: Joe Sandbox View

IP Address: 198.54.122.60 198.54.122.60

Source: global traffic

TCP traffic: 192.168.2.3:49710 -> 198.54.122.60:587

Source: unknown

DNS traffic detected: queries for: mail.privateemail.com

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp	String found in binary or memory: http://NJDUeI.com
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.483834190.0000000006BB0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.483855414.0000000006BD7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.477604889.00000000011B2000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.480002656.0000000002E10000.00000004.00000001.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.483834190.0000000006BB0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.477604889.00000000011B2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.241052171.0000000002A7A000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240360424.00000000029E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.241052171.0000000002A7A000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215711492.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.216478199.0000000005AEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.216774100.0000000005AC9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.237285257.0000000005AB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF7
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comG
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed-
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.237285257.0000000005AB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coml1
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsivc
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsief
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiva
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.210605693.0000000005ACB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.212835401.0000000005AB8000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.212835401.0000000005AB8000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.212835401.0000000005AB8000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn2
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.212298152.0000000005ABD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnn
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.218123578.0000000005AC3000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.218123578.0000000005AC3000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/X
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/c
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/chet
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/he
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ild
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/j
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/x
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.210156054.0000000005AB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.210156054.0000000005AB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comd
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215711492.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comP
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.479609173.0000000002DA5000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000003.445621812.0000000000F74000.00000004.00000001.sdmp	String found in binary or memory: https://0SCo6pf5oOU.com
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.477604889.00000000011B2000.00000004.00000020.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.244321688.0000000003B89000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.474023127.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 3.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2AB962F4u002d0200u002d473Fu002dBEF2u002dAD8BD6AEFA65u007d/u0034A08FE75u002d6AB6u002d4D23u002dA2EFu002d852F62E4598F.cs

Large array initialization: .cctor: array initializer size 11942

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Code function: 0_2_07753BBC NtQueryInformationProcess,

0_2_07753BBC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_0288C2B0	0_2_0288C2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_02889968	0_2_02889968
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A65698	0_2_04A65698
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A60778	0_2_04A60778
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A670AA	0_2_04A670AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A64860	0_2_04A64860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A63AF8	0_2_04A63AF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A64228	0_2_04A64228
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A60260	0_2_04A60260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A647A8	0_2_04A647A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A68F00	0_2_04A68F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A60772	0_2_04A60772
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A658F5	0_2_04A658F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A64852	0_2_04A64852
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A65941	0_2_04A65941
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A63AE9	0_2_04A63AE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A6523F	0_2_04A6523F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A64218	0_2_04A64218
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A60250	0_2_04A60250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_0775C6D8	0_2_0775C6D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07755150	0_2_07755150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_077521A8	0_2_077521A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_0775F008	0_2_0775F008
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07751DD8	0_2_07751DD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07756B20	0_2_07756B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07755BD0	0_2_07755BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_077549E8	0_2_077549E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_0775D660	0_2_0775D660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07755650	0_2_07755650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07755642	0_2_07755642
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07758508	0_2_07758508
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_077584F8	0_2_077584F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_077554E0	0_2_077554E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07759248	0_2_07759248
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07759238	0_2_07759238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07755142	0_2_07755142
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07755102	0_2_07755102
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_0775219A	0_2_0775219A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07752180	0_2_07752180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07759068	0_2_07759068
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07759058	0_2_07759058
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_0775CFB0	0_2_0775CFB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07759E31	0_2_07759E31
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07759E38	0_2_07759E38
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07758DF0	0_2_07758DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07758DE1	0_2_07758DE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07753DD8	0_2_07753DD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07751DCA	0_2_07751DCA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07753DCA	0_2_07753DCA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07755BC2	0_2_07755BC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07756A1B	0_2_07756A1B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_07756AF7	0_2_07756AF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_0775492F	0_2_0775492F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_077549B7	0_2_077549B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_077579B0	0_2_077579B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_077579A2	0_2_077579A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_00F10CD2	3_2_00F10CD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_00F1B798	3_2_00F1B798
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_00F1A560	3_2_00F1A560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_00F10130	3_2_00F10130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_00F19918	3_2_00F19918
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_00F15F18	3_2_00F15F18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_00F1E680	3_2_00F1E680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_00F17278	3_2_00F17278
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_02B946A0	3_2_02B946A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_02B94690	3_2_02B94690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_02B9DA01	3_2_02B9DA01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_05F67540	3_2_05F67540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_05F694F8	3_2_05F694F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_05F66C70	3_2_05F66C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_05F66928	3_2_05F66928
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_05F62548	3_2_05F62548

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\YoNupIfnI.exe 1CDB81091D98D217A4CDC8C570DF9178E797AF21A9D4B1BC39C49766322AE4BF

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YoNupIfnI.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.249046058.0000000007760000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.249406262.000000000D6D0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.238337726.0000000000778000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAssemblyName.exe> vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.224977983.0000000003CAC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewqFKswjrJPIEOyUzkAvWJEoMgmyANjOnaaFr.exe4 vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.249544332.000000000D7D0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.249544332.000000000D7D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.474023127.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamewqFKswjrJPIEOyUzkAvWJEoMgmyANjOnaaFr.exe4 vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.475642698.0000000000BC8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000000.236550991.0000000000A18000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAssemblyName.exe> vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.477493906.000000000114A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.483398579.00000000063E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Binary or memory string: OriginalFilenameAssemblyName.exe> vs SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: YoNupIfnI.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/4@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

File created: C:\Users\user\AppData\Roaming\YoNupIfnI.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1832:120:WilError_01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Mutant created: \Sessions\1\BaseNamedObjects\gqtfPZyzPpSSNqPqTlZbeux

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4A35.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YoNupIfnI' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A35.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YoNupIfnI' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A35.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_04A6604F push es; ret	0_2_04A66050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 0_2_0775662C push cs; ret	0_2_0775662D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_00F1C120 pushfd ; iretd	3_2_00F1C36E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_02B9441C push ss; iretd	3_2_02B94426
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_02B9AA90 pushfd ; iretd	3_2_02B9AA9E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_02B9CD51 push esp; iretd	3_2_02B9CD5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_02B93567 push ss; iretd	3_2_02B93572
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Code function: 3_2_02B95CB8 push ds; iretd	3_2_02B95CC6

Source: initial sample	Static PE information: section name: .text entropy: 7.95185598846
Source: initial sample	Static PE information: section name: .text entropy: 7.95185598846

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

File created: C:\Users\user\AppData\Roaming\YoNupIfnI.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YoNupIfnI' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A35.tmp'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 5668, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Window / User API: threadDelayed 6797			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Window / User API: threadDelayed 3057			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe TID: 2576	Thread sleep time: -103161s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe TID: 2576	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe TID: 2584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe TID: 1540	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe TID: 5672	Thread sleep count: 6797 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe TID: 5672	Thread sleep count: 3057 > 30	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Thread delayed: delay time: 103161	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.477604889.00000000011B2000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YoNupIfnI' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A35.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe			Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.478072790.00000000016E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.478072790.00000000016E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.478072790.00000000016E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.478072790.00000000016E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Code function: 3_2_05F65A94 GetUserNameW,

3_2_05F65A94

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.479609173.0000000002DA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.474023127.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244321688.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.479367965.0000000002D79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 2396, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 5668, type: MEMORY
Source: Yara match	File source: 3.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.3cf7ef8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.3cf7ef8.3.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 2396, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.479609173.0000000002DA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.474023127.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244321688.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.479367965.0000000002D79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 2396, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 5668, type: MEMORY
Source: Yara match	File source: 3.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.3cf7ef8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.3cf7ef8.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	Input Capture11	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Credentials in Registry1	System Information Discovery114	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing3	NTDS	Security Software Discovery321	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery2	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion141	Cached Domain Credentials	Virtualization/Sandbox Evasion141	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	33%	ReversingLabs	Win32.Trojan.Wacatac
SecuriteInfo.com.Trojan.PackedNET.645.19369.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\YoNupIfnI.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\YoNupIfnI.exe	33%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://NJDUeI.com	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.fontbureau.comF7	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnn	0%	URL Reputation	safe
http://www.founder.com.cn/cnn	0%	URL Reputation	safe
http://www.founder.com.cn/cnn	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/chet	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.comd	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/he	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.fontbureau.com=	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://www.fontbureau.comsiva	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.sakkal.comP	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/X	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/X	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/X	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fontbureau.comG	0%	Avira URL Cloud	safe
http://www.fontbureau.comessed-	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/N	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/N	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/N	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ild	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/q	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.privateemail.com	198.54.122.60	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://NJDUeI.com	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.477604889.00000000011B2000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.241052171.0000000002A7A000.00000004.00000001.sdmp	false		high
http://www.tiro.com	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp	false		high
http://www.fontbureau.coml1	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.237285257.0000000005AB0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.210156054.0000000005AB3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comF7	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnn	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.212298152.0000000005ABD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.218123578.0000000005AC3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/chet	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/8	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/-	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215711492.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.comd	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.210156054.0000000005AB3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.241052171.0000000002A7A000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.240360424.00000000029E1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/he	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.244321688.0000000003B89000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.474023127.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com=	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.237285257.0000000005AB0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.477604889.00000000011B2000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comsiva	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.218123578.0000000005AC3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.comP	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215711492.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/X	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.477604889.00000000011B2000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comc	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.210605693.0000000005ACB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comG	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comessed-	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/N	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ild	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/q	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.privateemail.com	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.480002656.0000000002E10000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/x	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.212835401.0000000005AB8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.212835401.0000000005AB8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.216774100.0000000005AC9000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/p	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn2	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.212835401.0000000005AB8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/-	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comrsivc	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000002.248499293.0000000006CC2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/j	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://0SCo6pf5oOU.com	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000002.479609173.0000000002DA5000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000003.00000003.445621812.0000000000F74000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/c	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215537501.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/d	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.215821511.0000000005AB5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.216478199.0000000005AEE000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comsief	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe, 00000000.00000003.217221192.0000000005AB5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.122.60	mail.privateemail.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385412
Start date:	12.04.2021
Start time:	13:09:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.PackedNET.645.19369.30388 (renamed file extension from 30388 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/4@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0%) Quality average: 27.3% Quality standard deviation: 31.9%
HCA Information:	Successful, ratio: 97% Number of executed functions: 131 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209, 93.184.220.29, 205.185.216.42, 205.185.216.10, 104.43.139.144, 13.88.21.125, 168.61.161.212, 13.64.90.137, 184.30.24.56 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, cs9.wac.phicdn.net, fs.microsoft.com, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ocsp.digicert.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/385412/sample/SecuriteInfo.com.Trojan.PackedNET.645.19369.exe

Simulations

Behavior and APIs

Time	Type	Description
13:10:03	API Interceptor	700x Sleep call for process: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
198.54.122.60	01_Enquiry Form.doc	Get hash	malicious	Browse
	Quotation2001100200.PDF.exe	Get hash	malicious	Browse
	Tepic.exe	Get hash	malicious	Browse
	3.exe	Get hash	malicious	Browse
	New#PO23000.PDF.exe	Get hash	malicious	Browse
	l1I6IIUtw7.exe	Get hash	malicious	Browse
	dCaIlsd8Iu.exe	Get hash	malicious	Browse
	QzieSGrrIc.exe	Get hash	malicious	Browse
	6ptKQe0Bf8.exe	Get hash	malicious	Browse
	P.O.exe	Get hash	malicious	Browse
	POM-20120273.PDF.exe	Get hash	malicious	Browse
	Purchase_order_pdf.exe	Get hash	malicious	Browse
	purchase_order_pdf.exe	Get hash	malicious	Browse
	Purchase_order_pdf.exe	Get hash	malicious	Browse
	Order_BC012356PDF.exe	Get hash	malicious	Browse
	PAYMENT ADVICE.pdf.exe	Get hash	malicious	Browse
	RFQ 4917 21-006-AA.doc	Get hash	malicious	Browse
	Pump_Motor-TENDER SPECIFICATION.doc	Get hash	malicious	Browse
	Purchase Order_3006164.doc	Get hash	malicious	Browse
	FORM E.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.privateemail.com	01_Enquiry Form.doc	Get hash	malicious	Browse	198.54.122.60
	Quotation2001100200.PDF.exe	Get hash	malicious	Browse	198.54.122.60
	Tepic.exe	Get hash	malicious	Browse	198.54.122.60
	3.exe	Get hash	malicious	Browse	198.54.122.60
	New#PO23000.PDF.exe	Get hash	malicious	Browse	198.54.122.60
	l1I6IIUtw7.exe	Get hash	malicious	Browse	198.54.122.60
	dCaIlsd8Iu.exe	Get hash	malicious	Browse	198.54.122.60
	QzieSGrrIc.exe	Get hash	malicious	Browse	198.54.122.60
	6ptKQe0Bf8.exe	Get hash	malicious	Browse	198.54.122.60
	P.O.exe	Get hash	malicious	Browse	198.54.122.60
	POM-20120273.PDF.exe	Get hash	malicious	Browse	198.54.122.60
	Purchase_order_pdf.exe	Get hash	malicious	Browse	198.54.122.60
	purchase_order_pdf.exe	Get hash	malicious	Browse	198.54.122.60
	Purchase_order_pdf.exe	Get hash	malicious	Browse	198.54.122.60
	Order_BC012356PDF.exe	Get hash	malicious	Browse	198.54.122.60
	PAYMENT ADVICE.pdf.exe	Get hash	malicious	Browse	198.54.122.60
	RFQ 4917 21-006-AA.doc	Get hash	malicious	Browse	198.54.122.60
	Pump_Motor-TENDER SPECIFICATION.doc	Get hash	malicious	Browse	198.54.122.60
	Purchase Order_3006164.doc	Get hash	malicious	Browse	198.54.122.60
	FORM E.doc	Get hash	malicious	Browse	198.54.122.60

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	Bank Details.xlsx	Get hash	malicious	Browse	198.54.117.212
	Import shipment.exe	Get hash	malicious	Browse	198.54.126.165
	01_Enquiry Form.doc	Get hash	malicious	Browse	198.54.122.60
	g2qwgG2xbe.exe	Get hash	malicious	Browse	198.54.126.105
	8Pd6TOKQOf.exe	Get hash	malicious	Browse	199.193.7.228
	Quotation2001100200.PDF.exe	Get hash	malicious	Browse	198.54.122.60
	remittance info.xlsx	Get hash	malicious	Browse	198.54.117.215
	SOA.exe	Get hash	malicious	Browse	162.0.229.227
	Swift002.exe	Get hash	malicious	Browse	198.54.117.211
	winlog.exe	Get hash	malicious	Browse	198.54.117.217
	2021-Quotation.xlsx	Get hash	malicious	Browse	199.193.7.228
	36ne6xnkop.exe	Get hash	malicious	Browse	198.54.126.105
	1ucvVfbHnD.exe	Get hash	malicious	Browse	198.54.126.105
	Dridex.xls	Get hash	malicious	Browse	198.54.114.131
	Remittance Advice (1).xls	Get hash	malicious	Browse	198.54.114.220
	Remittance Advice (1).xls	Get hash	malicious	Browse	198.54.114.220
	Remittance Advice (1).xls	Get hash	malicious	Browse	198.54.114.220
	giATspz5dw.exe	Get hash	malicious	Browse	104.219.248.15
	Tepic.exe	Get hash	malicious	Browse	198.54.122.60
	3.exe	Get hash	malicious	Browse	198.54.122.60

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\YoNupIfnI.exe	01_Enquiry Form.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe.log Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp4A35.tmp Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.187435806426066
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBrItn:cbh47TlNQ//rydbz9I3YODOLNdq3xu
MD5:	BFBA4EA1C4D901B4B93119378A4E936E
SHA1:	2A298DF813823CF1913D40191A81C8E7E10B2C6C
SHA-256:	50923D1670374A75F814026B607FFD8E1DA5EF0D92B63335691CD1AACCA9F21F
SHA-512:	54E73206FDDF6647D43E6E1F597477601EA9231A4FA926BD00D7EDD85BC6B1FFED2417376B83FD0D9A499E0FA32D29F70F9E6ACA960BE53091C7C1533F231DD2
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\YoNupIfnI.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	905216
Entropy (8bit):	7.702101602628262
Encrypted:	false
SSDEEP:	12288:jZOLC97rscaT4ytvT3aB1FK7CEfZgXRj9QAD1lCUUH0BgJxzKFMjvLe:jaksVMytjmFKWJjyAJUxU/UvLe
MD5:	9A8808E03B68E5C7A6B92389CF523684
SHA1:	A9156E69F05B27350444AA07228D4AA15799484C
SHA-256:	1CDB81091D98D217A4CDC8C570DF9178E797AF21A9D4B1BC39C49766322AE4BF
SHA-512:	E3262957BCB284C11E8B53E5D576591512782AE11F508A7B3ABA68DB3907FF9560206E07D55DF49A3A0D43631F83F65B62CF9ACA9DFE5BE50472D8FE8D04584E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Joe Sandbox View:	Filename: 01_Enquiry Form.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.s`..............P..J...........i... ........@.. .......................@............@.................................ti..O............................ ....................................................... ............... ..H............text....I... ...J.................. ..`.rsrc................L..............@..@.reloc....... ......................@..B.................i......H.......$}...v..........,...Hv...........................................0............(....( .........(.....o!.........................("......(#......($......(%......(&....N..(....o....('....&..((.....s)........s........s+........s,........s-............0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0...........~....o2....+...0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+...0......

C:\Users\user\AppData\Roaming\YoNupIfnI.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.702101602628262
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
File size:	905216
MD5:	9a8808e03b68e5c7a6b92389cf523684
SHA1:	a9156e69f05b27350444aa07228d4aa15799484c
SHA256:	1cdb81091d98d217a4cdc8c570df9178e797af21a9d4b1bc39c49766322ae4bf
SHA512:	e3262957bcb284c11e8b53e5d576591512782ae11f508a7b3aba68db3907ff9560206e07d55df49a3a0d43631f83f65b62cf9aca9dfe5be50472d8fe8d04584e
SSDEEP:	12288:jZOLC97rscaT4ytvT3aB1FK7CEfZgXRj9QAD1lCUUH0BgJxzKFMjvLe:jaksVMytjmFKWJjyAJUxU/UvLe
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.s`..............P..J...........i... ........@.. .......................@............@................................

File Icon


Icon Hash:	d28ab3b0e0ab96c4

Static PE Info

General
Entrypoint:	0x4b69c6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6073D57A [Mon Apr 12 05:07:06 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb6974	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x2801c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb49cc	0xb4a00	False	0.954884839965	data	7.95185598846	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x2801c	0x28200	False	0.347345940421	data	5.34681505935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb8280	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xc8aa8	0x94a8	data
RT_ICON	0xd1f50	0x5488	data
RT_ICON	0xd73d8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xdb600	0x25a8	data
RT_ICON	0xddba8	0x10a8	data
RT_ICON	0xdec50	0x988	data
RT_ICON	0xdf5d8	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xdfa40	0x76	data
RT_VERSION	0xdfab8	0x376	data
RT_MANIFEST	0xdfe30	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2012
Assembly Version	8.1.1.15
InternalName	AssemblyName.exe
FileVersion	8.1.1.14
CompanyName	Landskip Yard Care
LegalTrademarks	A++
Comments
ProductName	LevelActivator
ProductVersion	8.1.1.14
FileDescription	LevelActivator
OriginalFilename	AssemblyName.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 13:11:50.742096901 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:50.936301947 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:50.936518908 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:51.135938883 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:51.136396885 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:51.332415104 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:51.332446098 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:51.332948923 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:51.526618004 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:51.582125902 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:51.610776901 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:51.805519104 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:51.806893110 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:51.806910038 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:51.806927919 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:51.806946039 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:51.807065010 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:51.807109118 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:51.841373920 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:52.037518024 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:52.037543058 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:52.097805023 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:52.324698925 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:52.520371914 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:52.520828009 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:52.523878098 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:52.722922087 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:52.722948074 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:52.723623037 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:52.917310953 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:52.919341087 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:52.920392036 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:53.114203930 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.116560936 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.117043972 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:53.310775042 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.340661049 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.341113091 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:53.534807920 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.535516977 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.540888071 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:53.541090012 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:53.541202068 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:53.541321993 CEST	49710	587	192.168.2.3	198.54.122.60
Apr 12, 2021 13:11:53.734632969 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.734662056 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.734821081 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.735452890 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.823827982 CEST	587	49710	198.54.122.60	192.168.2.3
Apr 12, 2021 13:11:53.879148960 CEST	49710	587	192.168.2.3	198.54.122.60

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 13:09:48.964338064 CEST	51904	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:09:49.023612022 CEST	53	51904	8.8.8.8	192.168.2.3
Apr 12, 2021 13:09:49.167671919 CEST	61328	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:09:49.216269016 CEST	53	61328	8.8.8.8	192.168.2.3
Apr 12, 2021 13:09:49.415568113 CEST	54130	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:09:49.466809034 CEST	53	54130	8.8.8.8	192.168.2.3
Apr 12, 2021 13:09:53.340708971 CEST	56961	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:09:53.402669907 CEST	53	56961	8.8.8.8	192.168.2.3
Apr 12, 2021 13:09:54.577980042 CEST	59353	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:09:54.629452944 CEST	53	59353	8.8.8.8	192.168.2.3
Apr 12, 2021 13:09:55.766333103 CEST	52238	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:09:55.814935923 CEST	53	52238	8.8.8.8	192.168.2.3
Apr 12, 2021 13:09:57.239907980 CEST	49873	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:09:57.290364981 CEST	53	49873	8.8.8.8	192.168.2.3
Apr 12, 2021 13:09:58.314894915 CEST	53196	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:09:58.371818066 CEST	53	53196	8.8.8.8	192.168.2.3
Apr 12, 2021 13:09:59.358244896 CEST	56777	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:00.370313883 CEST	56777	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:00.422017097 CEST	53	56777	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:01.323955059 CEST	58643	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:01.375555038 CEST	53	58643	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:02.585973978 CEST	60985	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:02.637609959 CEST	53	60985	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:03.666877985 CEST	50200	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:03.721204042 CEST	53	50200	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:04.818079948 CEST	51281	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:04.869364023 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:05.722757101 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:05.771492004 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:06.696846962 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:06.745531082 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:07.795016050 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:07.846544027 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:09.025520086 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:09.088735104 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:10.127907038 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:10.178265095 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:11.705637932 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:11.762789965 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:14.528107882 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:14.579634905 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:15.478102922 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:15.526719093 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:18.285984993 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:18.335320950 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:23.788629055 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:23.850790024 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 12, 2021 13:10:49.670677900 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:10:49.719584942 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 12, 2021 13:11:50.586312056 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 12, 2021 13:11:50.638806105 CEST	53	60100	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 13:11:50.586312056 CEST	192.168.2.3	8.8.8.8	0x6a1e	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 13:11:50.638806105 CEST	8.8.8.8	192.168.2.3	0x6a1e	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 12, 2021 13:11:51.135938883 CEST	587	49710	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Apr 12, 2021 13:11:51.136396885 CEST	49710	587	192.168.2.3	198.54.122.60	EHLO 760639
Apr 12, 2021 13:11:51.332446098 CEST	587	49710	198.54.122.60	192.168.2.3	250-mta-14.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Apr 12, 2021 13:11:51.332948923 CEST	49710	587	192.168.2.3	198.54.122.60	STARTTLS
Apr 12, 2021 13:11:51.526618004 CEST	587	49710	198.54.122.60	192.168.2.3	220 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 5668 Parent PID: 5692

General

Start time:	13:09:56
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe'
Imagebase:	0x6b0000
File size:	905216 bytes
MD5 hash:	9A8808E03B68E5C7A6B92389CF523684
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.240720459.0000000002A31000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.244321688.0000000003B89000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2392 Parent PID: 5668

General

Start time:	13:10:09
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YoNupIfnI' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A35.tmp'
Imagebase:	0xec0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1832 Parent PID: 2392

General

Start time:	13:10:09
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 2396 Parent PID: 5668

General

Start time:	13:10:09
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.645.19369.exe
Imagebase:	0x950000
File size:	905216 bytes
MD5 hash:	9A8808E03B68E5C7A6B92389CF523684
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.479609173.0000000002DA5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.474023127.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.479122659.0000000002D41000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.479367965.0000000002D79000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 5668 Parent PID: 5692 SecuriteInfo.com.Trojan.PackedNET.645.19369.exeCOMMON

Executed Functions

Function 04A65698, Relevance: 2.7, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

;[ , xrefs: 04A66A17
;[ , xrefs: 04A66A69

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID: ;[ $;[
API String ID: 0-1726631585
Opcode ID: d88ae030e1770a1d8692107cb15042197f9c40af2bdce274f3d9bb8542097ed8
Instruction ID: d7eb69536c722ffb33c5034ab022789cf18d8b6577aba1eae9ef4f4ff28b52f0
Opcode Fuzzy Hash: d88ae030e1770a1d8692107cb15042197f9c40af2bdce274f3d9bb8542097ed8
Instruction Fuzzy Hash: 95815B70E04229CBDB24CF66D840BDDFBB6EF99300F14D5AAD40AA7244EB706A85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 04A658F5, Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

;[ , xrefs: 04A66A17
;[ , xrefs: 04A66A69

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID: ;[ $;[
API String ID: 0-1726631585
Opcode ID: f13185abd91f20357c09514a809ca45b6a1df7e95278710a39340c95af73d55f
Instruction ID: 6d1ef52ae3cff72c147aad1e8c289d0bd36639b43ae9fab402898394d929e7b1
Opcode Fuzzy Hash: f13185abd91f20357c09514a809ca45b6a1df7e95278710a39340c95af73d55f
Instruction Fuzzy Hash: B06149B0E0022ADBDB64CF65D840BDDF7B2FB99300F10D5E6D50AA6640EB74AAC59F14

Uniqueness

Uniqueness Score: -1.00%

Function 04A65941, Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

;[ , xrefs: 04A66A17
;[ , xrefs: 04A66A69

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID: ;[ $;[
API String ID: 0-1726631585
Opcode ID: a92d3c1e68480b952401b38d2a74c6a3acd6aefa9126667f0e8803223007d56d
Instruction ID: 9b5095b4a83791b3870a26373c0cb553d9ff57a98358efbac22ee89e03bd3495
Opcode Fuzzy Hash: a92d3c1e68480b952401b38d2a74c6a3acd6aefa9126667f0e8803223007d56d
Instruction Fuzzy Hash: B06149B0E0022ADBDB24CF55D840BDDB7B2FB99300F10D9EAD00AA6640E770AAC59F14

Uniqueness

Uniqueness Score: -1.00%

Function 077554E0, Relevance: 2.6, Strings: 2, Instructions: 142COMMON

Download Yara Rule

Strings

|t|$, xrefs: 07755476
sBy}, xrefs: 07755434

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: sBy}$|t|$
API String ID: 0-1930043790
Opcode ID: afc49c84748c7f5b868bfa10bfa688033a6a9b1dd59d760ac6d198713da76ad4
Instruction ID: 171ca560138c64fd41c240f51d0bd88b3c29c91db97808e213781043fe3256a5
Opcode Fuzzy Hash: afc49c84748c7f5b868bfa10bfa688033a6a9b1dd59d760ac6d198713da76ad4
Instruction Fuzzy Hash: 3C5109B4E142099FCB44CFA9C5815AEFBF2FB89350F20D4AAD818AB314D7749A518F51

Uniqueness

Uniqueness Score: -1.00%

Function 07756A1B, Relevance: 1.7, Strings: 1, Instructions: 413COMMON

Download Yara Rule

Strings

A^dl, xrefs: 07756B78

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: A^dl
API String ID: 0-559636526
Opcode ID: a5adb966221999299a277fe8c4dfc46d96da37cfc1d25c3aa89af9b7535c1d07
Instruction ID: 96ef6554c7c2c1f714b828f707da49ea7839632caaacec0890e5b3277fa877af
Opcode Fuzzy Hash: a5adb966221999299a277fe8c4dfc46d96da37cfc1d25c3aa89af9b7535c1d07
Instruction Fuzzy Hash: 9DF1ABB1D1020ADBCB04CFA5D4414EEFBB6FF4A7A0FA4C466D811AB255D774AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04A64218, Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

6Na, xrefs: 04A642F4

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID: 6Na
API String ID: 0-1938545030
Opcode ID: 8e5f82acdb1b32d13b1f23a7419ae13b86b57fc17c812b507742a8d17c4a8bf3
Instruction ID: c1e70f036254b88a62af2a5892ca22d4d94f49262cc7d28751daf7f16425b1e9
Opcode Fuzzy Hash: 8e5f82acdb1b32d13b1f23a7419ae13b86b57fc17c812b507742a8d17c4a8bf3
Instruction Fuzzy Hash: 9BD1E274E052089FDB54CFA4D945A9DBBB6EF8D300F209529E40ABB394DB74A941CF28

Uniqueness

Uniqueness Score: -1.00%

Function 04A64228, Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

6Na, xrefs: 04A642F4

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID: 6Na
API String ID: 0-1938545030
Opcode ID: 2257d4f247fa9a1acaa6c44d75c57a7faf903abbab3d1d6123856861e85a8a1a
Instruction ID: 157af447744658d154c114f22917048d12c97f66b765fce80355c00492af990b
Opcode Fuzzy Hash: 2257d4f247fa9a1acaa6c44d75c57a7faf903abbab3d1d6123856861e85a8a1a
Instruction Fuzzy Hash: 78D10374E052089FDB54CFA4D945A9DBBB6FF8D300F209529E40ABB294DB74A941CF28

Uniqueness

Uniqueness Score: -1.00%

Function 07753BBC, Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 0775E097

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 4d562b6bab60eb8764afff71b5fd5bb5c50a116c4564b0d883ba753e0ee141e1
Instruction ID: 6348213bae9619efb4c2159e0cc6fe0ad387074b12a4c6344c03b33139e68ebf
Opcode Fuzzy Hash: 4d562b6bab60eb8764afff71b5fd5bb5c50a116c4564b0d883ba753e0ee141e1
Instruction Fuzzy Hash: 8521E2B5900749DFCB10CF9AD884ADEBBF4FB48310F50842AE919AB200D375AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07756AF7, Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

A^dl, xrefs: 07756B78

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: A^dl
API String ID: 0-559636526
Opcode ID: 14955b29e227de23997c161e9146c016500f175b36e86637b51d54dad565bb57
Instruction ID: ad181159ac61c74c4bf1eeabcd2b271550cd3f2b2c56875a3ca87c8bc7c4b7d0
Opcode Fuzzy Hash: 14955b29e227de23997c161e9146c016500f175b36e86637b51d54dad565bb57
Instruction Fuzzy Hash: 33D16CB0D1420ADFCB04CFA5C4858AEFBB6FF8A380F64C565D815AB255D774A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07756B20, Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

A^dl, xrefs: 07756B78

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: A^dl
API String ID: 0-559636526
Opcode ID: b0de16371f18f8586fdfe2bca3c985379ae9b8596c976538bedb1b4d4c53f0ac
Instruction ID: 85bf1b1dfc02fc5ada883f26097e4cc539f856dcd762b6611325dfea8867a4a0
Opcode Fuzzy Hash: b0de16371f18f8586fdfe2bca3c985379ae9b8596c976538bedb1b4d4c53f0ac
Instruction Fuzzy Hash: 8EC13AB0D1120ADFCB04CF99C4858AEFBB6FF8A390F64C565D816AB254D774A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04A60260, Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

G!b, xrefs: 04A6031F

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID: G!b
API String ID: 0-1197177777
Opcode ID: 2d6d41bf5a0009d44752770e77dab6a82c92a688825dd5ad0cdfd7de6d3b73f1
Instruction ID: 539263184c914c389bd0e2d6f7c4fe132dd7b46cae459e868e5926fc04526658
Opcode Fuzzy Hash: 2d6d41bf5a0009d44752770e77dab6a82c92a688825dd5ad0cdfd7de6d3b73f1
Instruction Fuzzy Hash: 6CB13874E092198FCB44CFE9C9445DEFBF2BF89310F24C565D406BB218E774A9828B64

Uniqueness

Uniqueness Score: -1.00%

Function 04A60250, Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

G!b, xrefs: 04A6031F

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID: G!b
API String ID: 0-1197177777
Opcode ID: 6947fff6419a3df24752175f0b98be8fda8fc71317953a49671d3597d41c6646
Instruction ID: 35e3d3d094fcff716b8b7a2738595eee942e6d2ba721e6e9250320493343ffd9
Opcode Fuzzy Hash: 6947fff6419a3df24752175f0b98be8fda8fc71317953a49671d3597d41c6646
Instruction Fuzzy Hash: D9B13774E092198FCB44CFE9C5445DEFBF2BF89310F24C566D406EB259E734A9828B64

Uniqueness

Uniqueness Score: -1.00%

Function 0775F008, Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

7][u, xrefs: 0775F137

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: 7][u
API String ID: 0-1375511499
Opcode ID: d5116bfbb09bd645a1ea93ef06ebab0f5b7aabd5da2298dbca16bc8bfc17956d
Instruction ID: c5a40960ea23787863261e8107ff4eb6706a0dbee79a9b266f0286c8b011cd62
Opcode Fuzzy Hash: d5116bfbb09bd645a1ea93ef06ebab0f5b7aabd5da2298dbca16bc8bfc17956d
Instruction Fuzzy Hash: 58A149B0E15319CFDB14DFA4D984AACBBB2FF49340F149529E80ABB294DBB45941CF24

Uniqueness

Uniqueness Score: -1.00%

Function 04A63AE9, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

) ,+, xrefs: 04A63C9C

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID: ) ,+
API String ID: 0-1371466662
Opcode ID: e577081d85a00a4a29110083a65582a9dbff7c75d75d455c71e434ea1cdda7f8
Instruction ID: 7d810536e1dcba63b6334645323aecbb425befcf841a4af5ba2442187674352b
Opcode Fuzzy Hash: e577081d85a00a4a29110083a65582a9dbff7c75d75d455c71e434ea1cdda7f8
Instruction Fuzzy Hash: 98513970E162189FCF48CFA5D9455DDBBF6FF8D310F14A42AD806B7254EB3899128B28

Uniqueness

Uniqueness Score: -1.00%

Function 04A63AF8, Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

) ,+, xrefs: 04A63C9C

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID: ) ,+
API String ID: 0-1371466662
Opcode ID: ff287a3775c8901c39605e6b387d1558bbb19c09b19bea33669cff32e1d3b2db
Instruction ID: 43ad41038153887271c53af73d78de442f29c5587d94f9a648b5744af309b367
Opcode Fuzzy Hash: ff287a3775c8901c39605e6b387d1558bbb19c09b19bea33669cff32e1d3b2db
Instruction Fuzzy Hash: 96514A70E162189BCF48CFA5D9455DEFBF6FF8D310F14A42AD406B7254EB34A9128B28

Uniqueness

Uniqueness Score: -1.00%

Function 0775492F, Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2926ebc4a8ca093ec76b3009f93060c1760bbdc536af1cae4578b83acac5e5c9
Instruction ID: 0c63a791e609d95dda3a6532a4407f470f6a113c7d49c42b5e23445492f0029c
Opcode Fuzzy Hash: 2926ebc4a8ca093ec76b3009f93060c1760bbdc536af1cae4578b83acac5e5c9
Instruction Fuzzy Hash: B7B1C0B5E0028A8FCF14CFA5D841AEDBBF1FF89350F10842AD955AB255E7709982CF91

Uniqueness

Uniqueness Score: -1.00%

Function 077521A8, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820d58c5df7ff11670dcd6daa94e26e7f283d69e6eaa1e7ec7082dad6d74f099
Instruction ID: 3a6813cdad9c1cf49d1332eacb2c0b565bd217f27833bab31f1a658eb31f2683
Opcode Fuzzy Hash: 820d58c5df7ff11670dcd6daa94e26e7f283d69e6eaa1e7ec7082dad6d74f099
Instruction Fuzzy Hash: C2A105F4E042498BDB04DFE9C4486AEBBF6BF49384F14C529D818AB246DBB49942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07751DD8, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3039133ea13aad97b337723589eab167f92b406627b6283864a5ab172b1c16c1
Instruction ID: 08db886ff9297f42c7a85a7f46e5a193fdc5a9d7849557ffb72adeaecdcd69bc
Opcode Fuzzy Hash: 3039133ea13aad97b337723589eab167f92b406627b6283864a5ab172b1c16c1
Instruction Fuzzy Hash: E5A126B5E0025C8FDF14DFA5C8447DEBBB2BF8A345F5484A9C908AB244EBB05985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A647A8, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628e64285be260f3215ffb2f2f0a808312f612fa91c951c431cd6a464af89848
Instruction ID: a61956d3d7e7448b51d721afdd383d743a709f834386750ebf7d0d215de6655b
Opcode Fuzzy Hash: 628e64285be260f3215ffb2f2f0a808312f612fa91c951c431cd6a464af89848
Instruction Fuzzy Hash: 19A135B4E01249DFDB54DFE5D8446AEBBB2FF89300F20846AD81AAB354EB345912CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0775219A, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c94f242289011452a190d8c29cb1be4fa66cfbccb71703c38082bba8b71231
Instruction ID: 6833ed529ef0ae5e460dfd04fcaf01600cda2463247e287995fb14d6c168394a
Opcode Fuzzy Hash: 73c94f242289011452a190d8c29cb1be4fa66cfbccb71703c38082bba8b71231
Instruction Fuzzy Hash: 748116B4E002498FDB04DFE9C5486EEBBF2BB49344F14C429D818AB346EBB49946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07751DCA, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d2ad1f98c1ba69f1eada6a567c4b688891f174150f6247ef102a60d1183e98
Instruction ID: bc70ddc2f1f0d08ac722409afb14c5539bf0c78f60fb1c09a92210372e667100
Opcode Fuzzy Hash: c7d2ad1f98c1ba69f1eada6a567c4b688891f174150f6247ef102a60d1183e98
Instruction Fuzzy Hash: 3E9127B4E0025CCFDB14DFA9C8447EEBBB2BF89345F5484A9C908A7245EBB05985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 077549B7, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f66c8e605ee255a764a888e7528aa8b13c722461fa78eab079714f5842ecd7
Instruction ID: eb48420c5a93ff6958b1af6329d9e64bb04d4f2a86df2f3858af27a43f44b566
Opcode Fuzzy Hash: f6f66c8e605ee255a764a888e7528aa8b13c722461fa78eab079714f5842ecd7
Instruction Fuzzy Hash: 729137B4E112498FCB08CFE9C845AEEBBB2FF89300F14842AD915AB354E7749945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 07752180, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1382ed0427e0e6850f98555dc58ceebe03fb6efb4dda50cbaefbc40ae20d39
Instruction ID: 72d0d68a5a581c887bd8c3de8fcd89c6e814bfef49e6a56f1d238c348aa5248a
Opcode Fuzzy Hash: 1b1382ed0427e0e6850f98555dc58ceebe03fb6efb4dda50cbaefbc40ae20d39
Instruction Fuzzy Hash: DB8116F4E042498FDB04DFE9C5486ADBBF2BB49384F14C529D818AB246EBB49942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A670AA, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebec623b2f5c5c7c2766daa91f254759a441120e06937949939f9aa46b376903
Instruction ID: 4d1a87a4c1381802ef1c24ded016da62903b63e309a87f76ea54260846961b84
Opcode Fuzzy Hash: ebec623b2f5c5c7c2766daa91f254759a441120e06937949939f9aa46b376903
Instruction Fuzzy Hash: 18814C78E29209DFDB14CFE5D5805EDFBB2FF89314F14A42AE416AB218E334A8419F15

Uniqueness

Uniqueness Score: -1.00%

Function 077549E8, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec74311eb0906ba80ad5bb375e133c22cdaed87fbf45acf8f52539db9e67c76
Instruction ID: 7e912b37223a74685c59658c6d6e60d5bdb2f82d4a3c04dbf72e80c58c1c6c53
Opcode Fuzzy Hash: dec74311eb0906ba80ad5bb375e133c22cdaed87fbf45acf8f52539db9e67c76
Instruction Fuzzy Hash: 2181D374E112498FCB48CFE9C884AAEFBB2FF89310F14842AD919AB354E7749945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04A64852, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1a2fc392020f33bffd7814b4548bda1effecc660145ad94b6f70903be636a2
Instruction ID: c8e11b8e7f2321ac67bc32f898a598095a5fc3d455963abf7a36485c1341c31d
Opcode Fuzzy Hash: 5f1a2fc392020f33bffd7814b4548bda1effecc660145ad94b6f70903be636a2
Instruction Fuzzy Hash: 1F8128B4E01249DFDB54DFE5D8445AEBBB2FF89300F20842AD81AAB358EB345912CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04A60778, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7de2e98e955fa9f8288b9a4514c76edb45adc8a8144f6ebb9de6cecc75dd2b
Instruction ID: f1fd7ab1ee2ddafdb71979e55ba081ed674e8901f468a3ebee0d804e134fda6c
Opcode Fuzzy Hash: 6d7de2e98e955fa9f8288b9a4514c76edb45adc8a8144f6ebb9de6cecc75dd2b
Instruction Fuzzy Hash: AD713A70E0520A8FCB04CFE9C4855AEFBF6FB88310F14D826D516A7255E774AA818FA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A60772, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc6ecca5ea64128daa6730c8b7b5ecba4ee0f42e02b8cf3f02b84388c228b33
Instruction ID: edfac442d92e8aca979f2dbe51e7aa15d6da0e2f4e61f77a63a20c3f1dd078ca
Opcode Fuzzy Hash: 3fc6ecca5ea64128daa6730c8b7b5ecba4ee0f42e02b8cf3f02b84388c228b33
Instruction Fuzzy Hash: 7C714A74E0520A8FCB04CFA9C4855AEFBF2FF88350F14D826D416A7255E774AA818FA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A64860, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ede9443f1be7b84216bf100b28c97282e0bbb25bc9946045047eab7cf01f1d4
Instruction ID: 89d955eaca47220df386f8314b261e48aeb7da04e0226bfe9fdfb43d4d10bf69
Opcode Fuzzy Hash: 3ede9443f1be7b84216bf100b28c97282e0bbb25bc9946045047eab7cf01f1d4
Instruction Fuzzy Hash: 947108B4E01209DFDB54DFE5D8455AEBBB2FF89300F20842AD81AAB358DB345902CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0775C6D8, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa5dc916deed636b6631d1c6b5e3b5765e48dbc646d16249479a45e015f95c
Instruction ID: 2d672a8d6dd53173f0e1a73e75aecf962797cbb78fcf5e64bb767f6236da12a8
Opcode Fuzzy Hash: 1baa5dc916deed636b6631d1c6b5e3b5765e48dbc646d16249479a45e015f95c
Instruction Fuzzy Hash: 4C7123B4D1130ADFCB54CFA5D5846ADBBB2FF89340F20842AE816AB354DB745A42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07755142, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadf1dc893422d89d638ead0b9ea5d2ceb8b2032c1798544f28d96f6e18dfa97
Instruction ID: 2c1b27748c188bb133383cde5286c20f41ccd8fb1ed378036786ffa5dda3ac0a
Opcode Fuzzy Hash: cadf1dc893422d89d638ead0b9ea5d2ceb8b2032c1798544f28d96f6e18dfa97
Instruction Fuzzy Hash: B9513CB4E1520A8FDB08CFA6C4405AEFBF3FF89350F14C46AD819A7254D7748A528FA4

Uniqueness

Uniqueness Score: -1.00%

Function 07755150, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266bce15163a9faeb909efed1b64476b7dd28133673c16f131f494cb4dbb05a9
Instruction ID: 5afebea95e474d30801c3a6185e4cd8155fd2ddb07c29023946e9c15b1c2eef8
Opcode Fuzzy Hash: 266bce15163a9faeb909efed1b64476b7dd28133673c16f131f494cb4dbb05a9
Instruction Fuzzy Hash: 80513DB4E1520A8FDB04CFA6C4415AEFBF3FF89350F14D42AD819A7254D7744A528FA4

Uniqueness

Uniqueness Score: -1.00%

Function 07755102, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9242ee7783dc746379d48bda8119318c79fb91930a9cd695074f0e51611572ba
Instruction ID: 2b23cb5b2d30b891448f7ff35973523a138fb8a97bddb56b94d9d0ac19729ec9
Opcode Fuzzy Hash: 9242ee7783dc746379d48bda8119318c79fb91930a9cd695074f0e51611572ba
Instruction Fuzzy Hash: 9D514EB0E1520ADFCB04CFA6C4405AEFBF3EF89250F14C46AD816A7354D7748A528FA4

Uniqueness

Uniqueness Score: -1.00%

Function 04A68680, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacbb43f5e150094f207168156b6b36ba1911e8562e16ddd1cc1de83fd39618a
Instruction ID: d2a6a5e9760a20017d551cb65d6ca0d83ced6c06783b168252cafc1643580b9b
Opcode Fuzzy Hash: dacbb43f5e150094f207168156b6b36ba1911e8562e16ddd1cc1de83fd39618a
Instruction Fuzzy Hash: 3C3127B0D06218DFDB10EFA6D848BEDBBF9BF0A341F149429E406B3250E7786945DB54

Uniqueness

Uniqueness Score: -1.00%

Function 04A68673, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe36a35c79401784dfe0d301d98f18ee837c8a6a5fa2479de2bec684357a7c6b
Instruction ID: c2af2026ef6f2f5d41bf7a89d2097dde27311e47783fbc6bffceab5f326e677d
Opcode Fuzzy Hash: fe36a35c79401784dfe0d301d98f18ee837c8a6a5fa2479de2bec684357a7c6b
Instruction Fuzzy Hash: 903166B4D06218DFDB10EFA6D988BEDBBF9EB0A301F048429E002B3280D7789945DF14

Uniqueness

Uniqueness Score: -1.00%

Function 07755BD0, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3292c5212d626ee723d131958632bd7deccb622f13a292eb5e5245e6f91b2df
Instruction ID: 258230585498ad4b267435bb425e8fbf5b1aaebac225884a5a72cbef2490a526
Opcode Fuzzy Hash: d3292c5212d626ee723d131958632bd7deccb622f13a292eb5e5245e6f91b2df
Instruction Fuzzy Hash: 4031C7B1E016198BDB18CFABD8442DEFBF7AFC9310F14C16AD809AA254DB341A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07755BC2, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e74189da3290f857fe39c089f2583ce8b94a635764f1495ff5cd7c4a4291d4
Instruction ID: 8abad9ba93f3889719273b66d78267276b4ed5b6dbd291aa6965bc5040b55c5f
Opcode Fuzzy Hash: 63e74189da3290f857fe39c089f2583ce8b94a635764f1495ff5cd7c4a4291d4
Instruction Fuzzy Hash: 4631DEB1E016198BDB18CFABC9442DEFBF3AFC9300F18C06AD409A6254DB741945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04A62448, Relevance: 3.1, APIs: 2, Instructions: 98injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04A623F0
ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04A624D0

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: MemoryProcess$ReadWrite
String ID:
API String ID: 3589323503-0
Opcode ID: 46d701b758fd34ac58aa341a2d896d008800858b92e267d5e0c58e434f6e95db
Instruction ID: c919651b796ecb96fcbb036d86e120f7d0040ae52d3ed067abe00d0aa554ffd2
Opcode Fuzzy Hash: 46d701b758fd34ac58aa341a2d896d008800858b92e267d5e0c58e434f6e95db
Instruction Fuzzy Hash: 814187729002098FDF10DFA9C8447EEBBF1FF48314F10842AE959A7640C778A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A625E8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04A6281E

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: af18998e9d3cafa8df7f70ab1b7daee9b23d607517942ca21317162bc13c8da7
Instruction ID: af3d0a092d14dda6e92031b6859ba3e0e4982e47dba89b8bb7578d317dd57c5e
Opcode Fuzzy Hash: af18998e9d3cafa8df7f70ab1b7daee9b23d607517942ca21317162bc13c8da7
Instruction Fuzzy Hash: EA913D72D002199FEB10DFA9CC40BDDBBB2BF48314F1485A9D859A7240DB749995CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0288BBC8, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 51a4c93dc373eb5ce370e263abd4bd349a3edd7b57e93f33beb14780bc5d7d0d
Instruction ID: cf2499922e221292652e0cd731b29aaa5a3fcccc8d04f5dd4594169b000c2978
Opcode Fuzzy Hash: 51a4c93dc373eb5ce370e263abd4bd349a3edd7b57e93f33beb14780bc5d7d0d
Instruction Fuzzy Hash: 2B712678A00B058FD724EF2AC44075AB7F2FF88308F00892DD55ADBA50DB75E90A8F91

Uniqueness

Uniqueness Score: -1.00%

Function 0288B1EA, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0288DD8A

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f63f5055a8df5ca7c6fede2d9a4460341b9ea5b87b6f3f4717b1978b9e258512
Instruction ID: 394b6f5e20a0f5a2b2b940ee019425bfa88b3505dec40a599a206dc1c2f5b827
Opcode Fuzzy Hash: f63f5055a8df5ca7c6fede2d9a4460341b9ea5b87b6f3f4717b1978b9e258512
Instruction Fuzzy Hash: A651EEB5D10309DFDB14DFA9C980ADEBBB1BF48314F24812AE919AB250D770A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0288DC6D, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0288DD8A

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9618a4f601b553c61f1f2e66cea590f0e84c3d9ef9071ae58503bbce8761d183
Instruction ID: c5806408cdea73a1cb1252ac08389a8443bc3d93742a0547b752c54e8fc50ac8
Opcode Fuzzy Hash: 9618a4f601b553c61f1f2e66cea590f0e84c3d9ef9071ae58503bbce8761d183
Instruction Fuzzy Hash: 4951D0B5D103089FDB14DFA9C984ADEBBB1BF48314F24812AE819AB250D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0288B1EC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0288DD8A

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8368cf23fa5dccb4870f1b3fe756d872e666e5bf6ab0e4f2e35b95b986b254f5
Instruction ID: 168e5d6a82e94cb3532f77b2588f43723d237d519ce2263c6b8eff4b7e1406ef
Opcode Fuzzy Hash: 8368cf23fa5dccb4870f1b3fe756d872e666e5bf6ab0e4f2e35b95b986b254f5
Instruction Fuzzy Hash: 5651E0B5D10308DFDF14DFA9C984ADEBBB1BF48314F24812AE919AB250D770A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02886D51, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02886D8E,?,?,?,?,?), ref: 02886E4F

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 607b9a60d095478803dc03eec1e703c8cfb9e51f43ec365126869436ddab9944
Instruction ID: 2d444f814eb4d5989070ff6a07f522adb05acfa14f6d745407b4c58c7594b8f7
Opcode Fuzzy Hash: 607b9a60d095478803dc03eec1e703c8cfb9e51f43ec365126869436ddab9944
Instruction Fuzzy Hash: 44414A7A900218AFDB01DF99D884AEEBFF5FB48310F15801AEA18E7310D7359915CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A60007, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 04A600B0

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 4d660a3535e162a9f687bfb20843d16296a487531baa303d9096b234f84d963f
Instruction ID: f2b984838c060c19552fa1a4df74029ee1408debfb387b4c514dc7969d94b0f7
Opcode Fuzzy Hash: 4d660a3535e162a9f687bfb20843d16296a487531baa303d9096b234f84d963f
Instruction Fuzzy Hash: 0521ABB1C087898FCB11CFA9D8446DEFFB4BF0A314F09819AD455A7682D7346945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04A62358, Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04A623F0

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d3f2a5fc729360d2ee7627d8622021775fb3c4041f85b6a1f44970c42ff46fd6
Instruction ID: 9d6d661caf169c566d24a9a2b88a3a39a84382e1d44af210dde6d497394edd77
Opcode Fuzzy Hash: d3f2a5fc729360d2ee7627d8622021775fb3c4041f85b6a1f44970c42ff46fd6
Instruction Fuzzy Hash: 642137719003499FCB10DFA9D884BDEBBF5FF48314F10842AE969A7240C7789945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A62360, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04A623F0

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 57dc23e4ab9e0105eb294e1927c0e158ac625111cfd006272c82a234953cb378
Instruction ID: 510c5bb7350276e1f0ee35dcd9afdae50e479520bb5ff6cc433f988e5b1d41f0
Opcode Fuzzy Hash: 57dc23e4ab9e0105eb294e1927c0e158ac625111cfd006272c82a234953cb378
Instruction Fuzzy Hash: AE2115729003499FCB10DFA9C884BDEBBF5FF48314F10842AE919A7240D778A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02886DC0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02886D8E,?,?,?,?,?), ref: 02886E4F

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 904ec4bffcb373085638e940fefe818b8ab4bbde4aaf962460c03b414d39930c
Instruction ID: 8a38866b6a4056cdf45aaa4dd5abde0814c172e29061bd6256ad57c1ee0435da
Opcode Fuzzy Hash: 904ec4bffcb373085638e940fefe818b8ab4bbde4aaf962460c03b414d39930c
Instruction Fuzzy Hash: 7121E4B59002089FDB10CFA9D984ADEFBF4FF48324F15801AE919A7310D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02885C6C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02886D8E,?,?,?,?,?), ref: 02886E4F

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f1864e87f14f9797fb4439b79c5a1a51264c05ded3f555e391557e3bf27ddf62
Instruction ID: 5b5f852cdb70259955ed8f1d5ebfc8af239ac65d4a5be10fe62e0d94221d6a25
Opcode Fuzzy Hash: f1864e87f14f9797fb4439b79c5a1a51264c05ded3f555e391557e3bf27ddf62
Instruction Fuzzy Hash: EA21E4B59002589FDB10CF9AD984AEEBBF8FB48324F14801AE919A7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A62450, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04A624D0

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 15b59315d97c0609c8ac6b8dc21e7cc3b6accf681e7a5bdc1765bf8b302ab27d
Instruction ID: cfcdd77432c9b12a2da33edd320e543a01745436c6509f606855032a09257904
Opcode Fuzzy Hash: 15b59315d97c0609c8ac6b8dc21e7cc3b6accf681e7a5bdc1765bf8b302ab27d
Instruction Fuzzy Hash: 64211671D002499FDB10DFA9C884BEEBBF5FF48314F10842AE959A7640D734A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A621C8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 04A62246

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 83097ec5ac4917ec0e82795f3c2328cc7dab51e8edfef44255d8f8e0dd02f0dc
Instruction ID: 77b7e7fa10e31a98844792c741c34e6d470a062566264b5cca47f321998d0250
Opcode Fuzzy Hash: 83097ec5ac4917ec0e82795f3c2328cc7dab51e8edfef44255d8f8e0dd02f0dc
Instruction Fuzzy Hash: 6F213B71D103098FDB10DFAAC8847EEBBF4EF48314F14842AD559A7640DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0288B0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0288BE89,00000800,00000000,00000000), ref: 0288C09A

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4c9d7c5cf62817325f4af6ae35434636624cecc622af74150bcd61e688a3762b
Instruction ID: c3c8de6c8b2ae8fa799601d7dc5299a6778761069175a18b6e44ead4d98958eb
Opcode Fuzzy Hash: 4c9d7c5cf62817325f4af6ae35434636624cecc622af74150bcd61e688a3762b
Instruction Fuzzy Hash: 3C1114BAD002098FDB14DF9AD444BDEFBF4EB48354F10842AE919B7600C375A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04A62298, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04A6230E

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: dfaeaf3ac2e2b965250df8aeb775b9b5faa57b55aa3131d6157cf48309ab9ce8
Instruction ID: 02ba6ca40035dce8fdf2955d15c5b95b330ad099443cbf571d9f6e09242d0646
Opcode Fuzzy Hash: dfaeaf3ac2e2b965250df8aeb775b9b5faa57b55aa3131d6157cf48309ab9ce8
Instruction Fuzzy Hash: 7C1156729002499FCF10DFA9D844BEEBBF5AF88324F14881AE526A7200C735A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0775C5D0, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0775C643

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c8cda8fd2aa61da1c08f46e8788778c427607b14b316d77bdca7480bf3f433bb
Instruction ID: bf0a679841a62e0301a59505c0814a75199411fa7e48d6d999cc678c69b10733
Opcode Fuzzy Hash: c8cda8fd2aa61da1c08f46e8788778c427607b14b316d77bdca7480bf3f433bb
Instruction Fuzzy Hash: 1321E7B5D006499FCB10CF9AC984BDEFBF4FB48324F108429E959A7240D774AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0288C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0288BE89,00000800,00000000,00000000), ref: 0288C09A

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8eef81ee818d10eff8d9358ac067be0bf4cc0993c74da2d48e277dc82b6863f4
Instruction ID: f5cc7c2af0e834bad96c3ddb64f10650005e67c49c09a27a4149db5a0a6fbfc3
Opcode Fuzzy Hash: 8eef81ee818d10eff8d9358ac067be0bf4cc0993c74da2d48e277dc82b6863f4
Instruction Fuzzy Hash: 2B1144B6D002098FDB10DF9AD484BDEFBF4EB48314F10851AD919A7600C375A94ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A622A0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04A6230E

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 45b0314f1adce69ef2dc53acbd6958bc304ca38b6950e96842ea7e86e537bc66
Instruction ID: 30b99e2e50e5589d59c6529b4e916cdfa0e835a01666a571f02dc073de232693
Opcode Fuzzy Hash: 45b0314f1adce69ef2dc53acbd6958bc304ca38b6950e96842ea7e86e537bc66
Instruction Fuzzy Hash: 5A1137729002489FCF10DFA9C844BDFBBF5EF48324F148819E926A7250C775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0288B05C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0288BBDB), ref: 0288BE0E

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 759f3514f890f32f69f382a92b52ea2cbebd35a0d15d852f883339bc8ef29bd1
Instruction ID: 6ba5913807df2503f3d3ce4fbdcda2c4326c7b2b260d4e440cf4170fa9f3e7a2
Opcode Fuzzy Hash: 759f3514f890f32f69f382a92b52ea2cbebd35a0d15d852f883339bc8ef29bd1
Instruction Fuzzy Hash: 9C1104BAD006498FDB10DF9AC544BDEFBF4EF88218F10841AD919A7600D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A60040, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 04A600B0

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 3c13012cf4f58e01ee28286da4816c0e7242e8d84898c0d124ced84563ee5c0b
Instruction ID: d1f5c2470404a3da731b9e48c8a4b4936cba8b3ca96d053a04bad96d43fe449e
Opcode Fuzzy Hash: 3c13012cf4f58e01ee28286da4816c0e7242e8d84898c0d124ced84563ee5c0b
Instruction Fuzzy Hash: 2D1132B1D046199FDB10CF9AD984BDEFBF4FB48324F01811AD819A7600D774AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A62118, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04A6217A

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 81d91dc2504ea7e6ecc720c24bee934729aa24dc74b30667d1975ef72bf902e6
Instruction ID: 598aa114e45bcb8657b5a1a5431a9dd83ad217ed2bda3865eb2ea80c26ed08fb
Opcode Fuzzy Hash: 81d91dc2504ea7e6ecc720c24bee934729aa24dc74b30667d1975ef72bf902e6
Instruction Fuzzy Hash: F7112871D043488BDB10DFAAC8447DEBBF5AB88324F148419D51AA7640CB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A62116, Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04A6217A

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 13aa84b40b9ccd4d3b95f5d057715e3e7c85ea7acb4c0c71e5380b3bfe46e6f0
Instruction ID: bf3bb792bbf1912c7b0ad6d36356d60691986220ff8b113dcf522fb4e881fc19
Opcode Fuzzy Hash: 13aa84b40b9ccd4d3b95f5d057715e3e7c85ea7acb4c0c71e5380b3bfe46e6f0
Instruction Fuzzy Hash: 241136B1D142488FDB10DFA9C9447EFBBF5AF88324F14881AD51AA7640CB74A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0288B224, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0288DEA8,?,?,?,?), ref: 0288DF1D

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e06bc70af9aa5feb1f9a4872801daa60cda534fbddce385f2b87508726608e89
Instruction ID: 53b213e01b391e0e1b4ea02aa292ca0495adbb7c5f86e0f7b412e5abc0471218
Opcode Fuzzy Hash: e06bc70af9aa5feb1f9a4872801daa60cda534fbddce385f2b87508726608e89
Instruction Fuzzy Hash: C51133B99046098FDB10DF99D584BDEBBF8EB48324F10841AE91AB7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A676F8, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04A6775D

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0e37003d089360e52313765903ed997a117efc6a00107a4e32649f55bb003faf
Instruction ID: 9d89c6d3485017a387c1b9c71f1f25b2dd94048feb353b913710fb42ddc582c9
Opcode Fuzzy Hash: 0e37003d089360e52313765903ed997a117efc6a00107a4e32649f55bb003faf
Instruction Fuzzy Hash: FE1103B59007498FDB10CF99D988BDEBBF4EB48324F14845AE559A7600C374A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A67700, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04A6775D

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3c0ef8f6c7a7d2e63e57a9abe3b6b57cd06357f76b9255118209e39533c7df46
Instruction ID: 4307a005741403ad2e631b12339ba2715709ad293f7554c27efd86d5eb92d194
Opcode Fuzzy Hash: 3c0ef8f6c7a7d2e63e57a9abe3b6b57cd06357f76b9255118209e39533c7df46
Instruction Fuzzy Hash: 0811E2B59107499FDB10CF99D984BDEBBF8EB48324F10841AE559A7600C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0288DEB9, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0288DEA8,?,?,?,?), ref: 0288DF1D

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c4132c6185458112fff8a35affdb77872ca5dab6bfa8ad2fe95269ca972eefbf
Instruction ID: 9c62ad3085655921bb7a1e55438e685730b2a9c1d9dfb77ea0acd6a8e7d9a841
Opcode Fuzzy Hash: c4132c6185458112fff8a35affdb77872ca5dab6bfa8ad2fe95269ca972eefbf
Instruction Fuzzy Hash: AE1112BA9002498FDB10DF99D584BDEBBF4FB48324F24841AE959B7640C374AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D124, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239130151.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc5d8a78f67e76faefb6773238bbb36768513c52f82a9dd0876ec450667142f
Instruction ID: 30ed3609da1b9936a157f2767b6221a5e5ab26b2330f3b657d27d25316b9ab78
Opcode Fuzzy Hash: 0bc5d8a78f67e76faefb6773238bbb36768513c52f82a9dd0876ec450667142f
Instruction Fuzzy Hash: 272145B2504644DFEB21CF14C8C0B26BF65FB88324F24C569EE050B246C336D84AEBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239130151.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989d47ff15dcd9be30671e0d59feff508273eb3c1030b7e409387b72ab117176
Instruction ID: e91e8de58d7ab1d81fb4b57268266ba33a71181243bb3d53e97e1a7c7f613442
Opcode Fuzzy Hash: 989d47ff15dcd9be30671e0d59feff508273eb3c1030b7e409387b72ab117176
Instruction Fuzzy Hash: 29213772504240DFDB25CF14D9C0B27BF65FB88329F288569EE054B246D336D84AEBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239184433.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b377ef93221fa73890bf20f0111ddedf6b704e1e9eb19d1108969b1deed414ee
Instruction ID: efb53bee4b4a4119bd5caec415cb54569abc82ca80f79bc9be822e098cef9056
Opcode Fuzzy Hash: b377ef93221fa73890bf20f0111ddedf6b704e1e9eb19d1108969b1deed414ee
Instruction Fuzzy Hash: C8212971E04244DFDB05CF54D9D0B26BB65FB88324F24C96DE8094B341C736D846EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239184433.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ad279bcd2b1199f42aef8eb76608eb3cb21e83fb8333ed5969c2a24714bd2f
Instruction ID: ecfa2d3700cc0b8023f7e1b61aad6092f11b1f45463d0ffe3302bfd98bd2a635
Opcode Fuzzy Hash: 18ad279bcd2b1199f42aef8eb76608eb3cb21e83fb8333ed5969c2a24714bd2f
Instruction Fuzzy Hash: D5210A75A04240EFCB14CF14D9C4B16BB65FB88324F24C569D8094B34AC737D847EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239184433.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4e2902116dbf0de55d91e96224444f02664c9a138f172a1b409aaf7cb4a3d9
Instruction ID: ade681cd726a71ca424da9ccb8098aba90e6debfd5fb73c298e1a9c3f6ae5a1c
Opcode Fuzzy Hash: 6b4e2902116dbf0de55d91e96224444f02664c9a138f172a1b409aaf7cb4a3d9
Instruction Fuzzy Hash: 122183759093C09FCB02CF20D594715BF71EB46324F28C5EAD8458B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239130151.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction ID: dab24f626e0e804fac768b8cdd014857dfd2265a5198d27527bb25f14258def3
Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction Fuzzy Hash: 3511D376805280CFCB16CF10D5C4B16BF71FB94325F2886A9DD050B656C33AD85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D11F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239130151.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction ID: 85bd1b6287e0ccf7f4331134d3149fc13c083673b93e2ccc287e7584ae2a9990
Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction Fuzzy Hash: B411D076804680CFDB12CF10D9C4B56BF71FB84324F28C6AADD040B656C33AD85ADBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239184433.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5423dff634b637993c3977459c8b4a40d2af93c6c522a3032ada7a034eb7421
Instruction ID: c15c63e403bf8ccd8092483aadfb82d484da80e6b577f3e93b67759c03368075
Opcode Fuzzy Hash: f5423dff634b637993c3977459c8b4a40d2af93c6c522a3032ada7a034eb7421
Instruction Fuzzy Hash: B7119D75A04280DFCB15CF10D9D4B15FBB1FB85324F28C6AED8494B656C33AD84ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D75D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239130151.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3674004c56d61a612a6a19d16e30095232ed0690a249ee5fe3dda0c0dd497330
Instruction ID: d5dcb290411bbbbbeb2ad85dfd3a4e83a18a5a52c2fde173dbaa81435a2eefff
Opcode Fuzzy Hash: 3674004c56d61a612a6a19d16e30095232ed0690a249ee5fe3dda0c0dd497330
Instruction Fuzzy Hash: 7901F77240A3409EE7204A15ED84B67BB98EF49375F18C81AEE049B282D3789C48D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D75C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239130151.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7839497e2d3dd06d7bc867bda6128f73bc11ca043a2f5f5b8cf4b6348d69e72c
Instruction ID: f4793139e354736c764fa651e8412f3256ebf7f1c4de57523aca13e61bb98502
Opcode Fuzzy Hash: 7839497e2d3dd06d7bc867bda6128f73bc11ca043a2f5f5b8cf4b6348d69e72c
Instruction Fuzzy Hash: 5BF0F671405344AEEB208A05DDC4BA3FFACEF45774F18C85AEE085B282C3799C48CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 077579B0, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

|-qw, xrefs: 07757A0D

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: |-qw
API String ID: 0-3363682723
Opcode ID: 6e6d3ccd0b19da9c4380743ef46cb5100c90abb48f70baf3d7690ad965658071
Instruction ID: 4441d2a20f8e03656c1041c99d89959fed611aa2297ca2931067e426843a2210
Opcode Fuzzy Hash: 6e6d3ccd0b19da9c4380743ef46cb5100c90abb48f70baf3d7690ad965658071
Instruction Fuzzy Hash: 1A71E074E112199FCB08CFA9D48499EFBF1FF89350F14C55AE819AB224D774AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 077579A2, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

|-qw, xrefs: 07757A0D

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: |-qw
API String ID: 0-3363682723
Opcode ID: 937b8b3df0a86f740276d085949894c3cf87c142659bdd42a1a549bbdea4bce5
Instruction ID: ea74cb4ec0dfd0e622f94b6da9377f56cfdd13d9ff3d794c874120b1c965d523
Opcode Fuzzy Hash: 937b8b3df0a86f740276d085949894c3cf87c142659bdd42a1a549bbdea4bce5
Instruction Fuzzy Hash: 4971E074E112099FCB48CFA9D48499EFBF1FF89350F148556E819AB324D774AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07755650, Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

k@G, xrefs: 0775569B

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: k@G
API String ID: 0-3911427725
Opcode ID: cc83164615bbd64949f4261605def7aa0c010e73a9fb80a6e412bc6877a288ec
Instruction ID: 5def135d83288b42a69701c8f8a7b91ea29e0f601b5ffed1ce3060196c860c34
Opcode Fuzzy Hash: cc83164615bbd64949f4261605def7aa0c010e73a9fb80a6e412bc6877a288ec
Instruction Fuzzy Hash: D26139B4E1420ADFCB04CF99D5819EEFBB2FB89354F148929E815A7210D374AA52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0775D660, Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

yk, xrefs: 0775D6E8

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: yk
API String ID: 0-1228263080
Opcode ID: 1c2587f6e2c8c4debd9cba19e0d63e3fc0d8fabbb65995cc44a9a7b02cf0b989
Instruction ID: 2c2fd7b5eafa1801179368bfbac1847eda01a17fd2030b3f10363090c9968e8a
Opcode Fuzzy Hash: 1c2587f6e2c8c4debd9cba19e0d63e3fc0d8fabbb65995cc44a9a7b02cf0b989
Instruction Fuzzy Hash: 71713CB0E14219CFDB24CFA9C9806AEFBF6FB89244F2485AAD808A7315D7705A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07755642, Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

k@G, xrefs: 0775569B

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: k@G
API String ID: 0-3911427725
Opcode ID: 84dd8263ee4e8166c1249fa965e5605c986ed2bc62423af7c58989349a8c51b0
Instruction ID: 37a21eb279b6865a749bcbce28d1fb2628f0d85844a84d15fe77864b414c5117
Opcode Fuzzy Hash: 84dd8263ee4e8166c1249fa965e5605c986ed2bc62423af7c58989349a8c51b0
Instruction Fuzzy Hash: F3614BB4E1420ADFCB04CF99D5809AEFBB2FF89354F148966E815A7320D3749A52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07758508, Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

pkh, xrefs: 07758722

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: pkh
API String ID: 0-3134075424
Opcode ID: 73b5da61dce1d67a5c0df160a16cf0c0c70ed35b5af9a742abc80236417205e2
Instruction ID: 31605c9f952c19370e2c5ffa7d37452aec467c42bb1ea91d32c062ec73d35006
Opcode Fuzzy Hash: 73b5da61dce1d67a5c0df160a16cf0c0c70ed35b5af9a742abc80236417205e2
Instruction Fuzzy Hash: 017109B4E1520ADFCB04CFA9D5809AEFBB1FF49354F14851AD815AB305C3B0A982CF96

Uniqueness

Uniqueness Score: -1.00%

Function 077584F8, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

pkh, xrefs: 07758722

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: pkh
API String ID: 0-3134075424
Opcode ID: 0965f5ff1361c66e4a051087143bc46455f92f85cb1797b26d03c76ea028a019
Instruction ID: 7ce6d5b65540e6e8fae7ac6225f89c16bc71e8e650f84cbe6830187e0f21e94a
Opcode Fuzzy Hash: 0965f5ff1361c66e4a051087143bc46455f92f85cb1797b26d03c76ea028a019
Instruction Fuzzy Hash: DE6139B4E1420ACFCB04CFA9C5809AEFBB2FF49394F14855AD815A7305D374A982CF96

Uniqueness

Uniqueness Score: -1.00%

Function 07759E38, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

G~]!, xrefs: 07759F77

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: G~]!
API String ID: 0-982829445
Opcode ID: 9ade01956f551f55ddeeb268a094f35d7942bd6ed54de1e94eed27afd0e414c2
Instruction ID: 3c361682751442bf36de846399acb65e703c376d2415c1d038e1979f55325675
Opcode Fuzzy Hash: 9ade01956f551f55ddeeb268a094f35d7942bd6ed54de1e94eed27afd0e414c2
Instruction Fuzzy Hash: 604170B1E116198BEB18CF6B8D4439EFBF7BFC9300F14C1BA890DA6214DB301A858E11

Uniqueness

Uniqueness Score: -1.00%

Function 07759E31, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

G~]!, xrefs: 07759F77

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID: G~]!
API String ID: 0-982829445
Opcode ID: db3f002918c9ad64c341bd5e3bf52d0d5999ec8e8c3409dbda668894f4ae58ae
Instruction ID: d5d7596f79cfd5c23e196e5b5e35ad1681cc806b69aed523fc6ee5751f913966
Opcode Fuzzy Hash: db3f002918c9ad64c341bd5e3bf52d0d5999ec8e8c3409dbda668894f4ae58ae
Instruction Fuzzy Hash: DA414171E116198BEB5CCF6B8D4478EFAF3BFC8300F14C1BA990DA6264DB3459858E11

Uniqueness

Uniqueness Score: -1.00%

Function 0288C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0476c9866d902ef2a81f449a70883c13f94c8e36bf7e782c0d215d5ec54cedad
Instruction ID: e4af1e64f1aded535d0dc7a41c611a16f508de5388e96ffa636b7805b1eca966
Opcode Fuzzy Hash: 0476c9866d902ef2a81f449a70883c13f94c8e36bf7e782c0d215d5ec54cedad
Instruction Fuzzy Hash: CB5249B550270AEFD714CF14F8881997BB1FB41328F90A219D1B1BBA90D3BC698ACF55

Uniqueness

Uniqueness Score: -1.00%

Function 04A68F00, Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf411cd6eb991dd263346afb3202266de1a224ba008462c71b72ef37be8a45f2
Instruction ID: 3bfe1ebbdf7901c13836441e9e537b5260a397dd360589718f55adbc4f1709d2
Opcode Fuzzy Hash: bf411cd6eb991dd263346afb3202266de1a224ba008462c71b72ef37be8a45f2
Instruction Fuzzy Hash: B7E1BDB57016048FEB19EB7AC450BAFB7EAAF89304F14846DC14ACB395CB35E905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02889968, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239486016.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947903b64ee6a6999e034260dddbd7577d05be925f21973df376d4a8adcf48ec
Instruction ID: dfaecb464471502e3639638d2cdd6cb4a79b303ae3cb4b0cbfd0e7e094a18636
Opcode Fuzzy Hash: 947903b64ee6a6999e034260dddbd7577d05be925f21973df376d4a8adcf48ec
Instruction Fuzzy Hash: BBA16C3AE006198FCF05EFA9D8445DEBBB2FF85304B15816AE905FB261EB35A915CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04A6523F, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b2ded0904f0e356d5c10e39f2b88b1479e45895126ab79894ce6107420072f
Instruction ID: ff5115914fa3124d968f85856b42333fe919232c3199ff280a60c117c8775f4b
Opcode Fuzzy Hash: 08b2ded0904f0e356d5c10e39f2b88b1479e45895126ab79894ce6107420072f
Instruction Fuzzy Hash: 2FB10DB4E1520ADFDB44CFE6D9455AEFBB2FF89300F14902AD416AB218E7349A42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07758DE1, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c63da75aab7580474c81a1d6650f0160c4d1a009369661000d514504f4f973e
Instruction ID: a57f26cd177205a764cb92da401c4994f62a8419f6721e729547071b620472c9
Opcode Fuzzy Hash: 0c63da75aab7580474c81a1d6650f0160c4d1a009369661000d514504f4f973e
Instruction Fuzzy Hash: 796106B4E15209CFCB04CFA9C5815DEFBF2FF89250F28946AD805B7224D3749A428F65

Uniqueness

Uniqueness Score: -1.00%

Function 07758DF0, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfabc10e08dbea03f350cbe72f13b1b9cfa562ecb01dfaa6bc645938e90bc70c
Instruction ID: c8c571bb7ad2a3dcf364bd642fd884e87426f643a24907dbc59c58e27eba2d7f
Opcode Fuzzy Hash: dfabc10e08dbea03f350cbe72f13b1b9cfa562ecb01dfaa6bc645938e90bc70c
Instruction Fuzzy Hash: B171F6B4E15209CFCB04CFA9C5815DEFBF2FF89250F24942AD815B7224D3749A428F65

Uniqueness

Uniqueness Score: -1.00%

Function 0775CFB0, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6aaf9ef57349f482217d9786c43fd9663ff8e6115c997b1a2ef3f2e26e38ec9
Instruction ID: 8a65468b04f2b77bf26e90d9c65944f48db4a3b8f95aab933b67cf47d518af61
Opcode Fuzzy Hash: d6aaf9ef57349f482217d9786c43fd9663ff8e6115c997b1a2ef3f2e26e38ec9
Instruction Fuzzy Hash: 486171B0E14219CBDB14CFA9C9806AEFBB6FF89354F24C569D818AB315D7709942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07759058, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d6e63b49d3ddfee1d7cf8260cd460b4fd022d686dadb3db2ebb8d6e6f70bc2
Instruction ID: 15fa42836ad22bb88ab4a8d273667dffd469c218542e89e576273d8567522efb
Opcode Fuzzy Hash: 78d6e63b49d3ddfee1d7cf8260cd460b4fd022d686dadb3db2ebb8d6e6f70bc2
Instruction Fuzzy Hash: E7411AB0E0521ADFCB44CFAAC5805AEFBF2AF89250F24C46AC919B7314D7749A418F95

Uniqueness

Uniqueness Score: -1.00%

Function 07759068, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65286255d37bd612a7f27c7539f58b02c63a45bb7fbc1cf960bbb3bfe2865159
Instruction ID: cdde449d4c4be71e4435098cd5e5f72cad647b1cca1a1830335957a7633217b6
Opcode Fuzzy Hash: 65286255d37bd612a7f27c7539f58b02c63a45bb7fbc1cf960bbb3bfe2865159
Instruction Fuzzy Hash: A24108B0E0521ADFCB44CFAAC5405AEFBF2EF89250F24C46AC919B7314D774AA418F95

Uniqueness

Uniqueness Score: -1.00%

Function 07753DD8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071736995b4b47be09eccfb4379edd43cbd372ea6edf5eabc801e83a4f44c1cd
Instruction ID: 473d7bd1ba1fd4124a41b2ea18a7fcca4be1dd04c32fc83bccbe8f1d47bf1ac6
Opcode Fuzzy Hash: 071736995b4b47be09eccfb4379edd43cbd372ea6edf5eabc801e83a4f44c1cd
Instruction Fuzzy Hash: 5B11DDB1E146189BEB18CFABD8406DEFAF7AFC9200F14C07AD918A6268EB7415458F51

Uniqueness

Uniqueness Score: -1.00%

Function 07759248, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3aa8957ffb679fc4339ed1ffe5bc244550d40015932b811e0f3db707a64aa9
Instruction ID: 99e2bbf1a90f353abfa777b4147c7359c7206f64f58996f739732e12195a0286
Opcode Fuzzy Hash: cd3aa8957ffb679fc4339ed1ffe5bc244550d40015932b811e0f3db707a64aa9
Instruction Fuzzy Hash: 6211DDB1E016188BEB18CF6BD84469EFAF7AFC9200F04C076D908A6254EB7455568F51

Uniqueness

Uniqueness Score: -1.00%

Function 04A693E0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c710e383b93aa3a8e43ed1bd1c28f89bedd335e6fa9463bbb6669cbbab7562
Instruction ID: a7334cfbafddc47f2b2592b43e218abf5d0dc7b84b0acb3f618d706187bafac1
Opcode Fuzzy Hash: f5c710e383b93aa3a8e43ed1bd1c28f89bedd335e6fa9463bbb6669cbbab7562
Instruction Fuzzy Hash: 251197B0D092188FDB048FA4C5187EEBBF5BB0E304F04A069C812B3291CB78A944DB68

Uniqueness

Uniqueness Score: -1.00%

Function 07753DCA, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2cf72d8f578f00a8e2daf4cc31e20f65e28fe796a54b9b0caa8b95cb83d002
Instruction ID: 92ab50598ce111a51cd4da179514cd10a50dde8bd4ed41d95ba49e92f865af10
Opcode Fuzzy Hash: 2a2cf72d8f578f00a8e2daf4cc31e20f65e28fe796a54b9b0caa8b95cb83d002
Instruction Fuzzy Hash: DC11D0B1E146588BEB19CF6BC8446DEFBF3AFC9200F08C47AC818A6264EB7405458F51

Uniqueness

Uniqueness Score: -1.00%

Function 07759238, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249033139.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb7791527e00a98ccec14068ebbdefe20ae1a04455c01c9a5006e239776536a
Instruction ID: 158548b1aeef6c357cd45752886baf334353afd6a27b32bd4ba238700a37020d
Opcode Fuzzy Hash: 4bb7791527e00a98ccec14068ebbdefe20ae1a04455c01c9a5006e239776536a
Instruction Fuzzy Hash: 4011E2B1E146188BEB1CCF6BD84469EFBF3BFC9200F08C476C808A6264EB7455468F51

Uniqueness

Uniqueness Score: -1.00%

Function 04A693F0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244597342.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7b48aa46b1b002eb587cba283389a348bd27616fe425016a2b628899c41716
Instruction ID: 74113590d276f70ef9ab21b6f7d9b2cc701a6f08bad28710b1fb8aa749732e88
Opcode Fuzzy Hash: 9a7b48aa46b1b002eb587cba283389a348bd27616fe425016a2b628899c41716
Instruction Fuzzy Hash: AA117C70D052188BDB04CFA5C818BEEBBF5AF4E310F149069D812B3290D7785944DB78

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Trojan.PackedNET.645.19369.exe PID: 2396 Parent PID: 5668 SecuriteInfo.com.Trojan.PackedNET.645.19369.exeCOMMON

Executed Functions

Function 00F10CD2, Relevance: 3.2, Instructions: 3198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64471b73d2380d1aef5b0563a69736b895d774d9ab205dc930d3bc896d34263f
Instruction ID: 81a939841fab04afc7a6d1748bd75a24aa91f5f5ff8f32f96e5d9d20ed1011a6
Opcode Fuzzy Hash: 64471b73d2380d1aef5b0563a69736b895d774d9ab205dc930d3bc896d34263f
Instruction Fuzzy Hash: 79639E30D14B599FCB21DB68C8906D9FBB1BF99310F25C69ED188A7211EB70AAC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00F10130, Relevance: 2.8, Instructions: 2848COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db77c8610b0ce2121115c7aaf91c0df794be8a2c21f99b94d64d32f493df0fb2
Instruction ID: 89d4d291ee389f6655890d10ce6fb0fc77bcf1bbb39169b1a5b9046e3b4b227f
Opcode Fuzzy Hash: db77c8610b0ce2121115c7aaf91c0df794be8a2c21f99b94d64d32f493df0fb2
Instruction Fuzzy Hash: 20530B30D14B198ECB11EF68C8446D9F7B1FF99310F11D69AE459AB221EB70AAC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05F65A94, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05F6B633

Memory Dump Source

Source File: 00000003.00000002.483238713.0000000005F60000.00000040.00000001.sdmp, Offset: 05F60000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7723bcdb4d8b9d41ddd3baaa4ccf89f6b348e39bffa54f46ebf7db0fa1a588b9
Instruction ID: 3136521f68fd55d91a851ef53b55d9c85a1f62b5a64a64be15577f3faf334837
Opcode Fuzzy Hash: 7723bcdb4d8b9d41ddd3baaa4ccf89f6b348e39bffa54f46ebf7db0fa1a588b9
Instruction Fuzzy Hash: F15100B0E002188FDB14DFA9C894BEEBBB5BF48314F14816DE816BB355DB789844CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00F1A560, Relevance: 1.1, Instructions: 1127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a325daa6c5bb44d72b3fd315536ffc616b0aa87a30bf81eb6b467d35a3af7f5
Instruction ID: 81da5cd8197bd11187af05e915f46f27a5a75e55da7de56ce4d8bf4ea4b23dbb
Opcode Fuzzy Hash: 3a325daa6c5bb44d72b3fd315536ffc616b0aa87a30bf81eb6b467d35a3af7f5
Instruction Fuzzy Hash: C1A24970F002088FDB64EB78D855BEEB6B2AF89310F1485A9D50AEB784DF749C85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F15F18, Relevance: .7, Instructions: 669COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12730d82e838eafd26997203fb9bf91720420ab26fbfae20af5647bf3701c89b
Instruction ID: 90b7474dfc118f7561f4a0c6987d9a10d629d397031eab0063ab66ea964ceee5
Opcode Fuzzy Hash: 12730d82e838eafd26997203fb9bf91720420ab26fbfae20af5647bf3701c89b
Instruction Fuzzy Hash: AB329A70F002059FCB14DBA8C890BEEBBB2AF89314F15846AE515EB395DB35EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B798, Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885796f7596a1e66c5e8672d5930aaaa82936e462c03999f9d3010b3cd3168fc
Instruction ID: 6dbc84a0d1700b9bf0ed4ad3b1340279b2507efd4c4b21df1a2596ea07ca3083
Opcode Fuzzy Hash: 885796f7596a1e66c5e8672d5930aaaa82936e462c03999f9d3010b3cd3168fc
Instruction Fuzzy Hash: C2121130B042458FD714AB788869BAE7AB2AF86310F19C4BAD519DF3C5DF74DC468B90

Uniqueness

Uniqueness Score: -1.00%

Function 00F19918, Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea22a7a718e3cc8453f06f0f6195788db7751c5f0e8451fa08d41cd973f161be
Instruction ID: a686aed3392f2ea95faa337677f002d4e8f67956200e291f145150553e16764d
Opcode Fuzzy Hash: ea22a7a718e3cc8453f06f0f6195788db7751c5f0e8451fa08d41cd973f161be
Instruction Fuzzy Hash: 15027C34F042058FCB14DFB8C8946ADB7B2AF84324F288569D515EB395DB75EC82DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B9692B, Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02B969A0
GetCurrentThread.KERNEL32 ref: 02B969DD
GetCurrentProcess.KERNEL32 ref: 02B96A1A
GetCurrentThreadId.KERNEL32 ref: 02B96A73

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f367132055ec3b156cf8ca5ad2c5df40098a25fbd0feb36718d5b067f8fac1c9
Instruction ID: 47a52f24c3937fb29f2da518341916addcc97835ee78f010020d851b4033b16f
Opcode Fuzzy Hash: f367132055ec3b156cf8ca5ad2c5df40098a25fbd0feb36718d5b067f8fac1c9
Instruction Fuzzy Hash: CB5178B0E046848FDB54CFA9C6487EEBFF1EF49314F2485AAE159A7260C7345945CF21

Uniqueness

Uniqueness Score: -1.00%

Function 02B96940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02B969A0
GetCurrentThread.KERNEL32 ref: 02B969DD
GetCurrentProcess.KERNEL32 ref: 02B96A1A
GetCurrentThreadId.KERNEL32 ref: 02B96A73

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 673a0436966fafdff8e3948a3b13f4337499e512596de6358805c299fc7b1fde
Instruction ID: 76fa98303488c47ef6d73fe6ee97ac8b57ffaf7a83759777961f1a7ff2c06ba6
Opcode Fuzzy Hash: 673a0436966fafdff8e3948a3b13f4337499e512596de6358805c299fc7b1fde
Instruction Fuzzy Hash: 1C5176B0E006488FDB54CFA9DA48BDEBBF0EF48314F2085AAE119A7350D7345984CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05F6B4ED, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.483238713.0000000005F60000.00000040.00000001.sdmp, Offset: 05F60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b16c9743e16527b925ccea32e4ba2522b42ad02ca4b8c4d105e4f8e3b6e8c2
Instruction ID: 071a42d30abe64f79ff09792a4ea6a03bed52a0c612269efa32026b4eba4b3c2
Opcode Fuzzy Hash: a4b16c9743e16527b925ccea32e4ba2522b42ad02ca4b8c4d105e4f8e3b6e8c2
Instruction Fuzzy Hash: 315136B1E042188FDB14CFA9C894BDEBBB1BF48314F148159E816BB391D7789844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05F6921C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05F6B633

Memory Dump Source

Source File: 00000003.00000002.483238713.0000000005F60000.00000040.00000001.sdmp, Offset: 05F60000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: db7d848c49de8f31f9dc9f2e1c6f1c9771684714eaf93871bc3fbdf8414a1c52
Instruction ID: 7cc553097c5dc41b8cab0834b6a76af0ec8cb03a58003fc1cd1a03d827f92b70
Opcode Fuzzy Hash: db7d848c49de8f31f9dc9f2e1c6f1c9771684714eaf93871bc3fbdf8414a1c52
Instruction Fuzzy Hash: 915102B1E002188FDB14CFA9C894BDEBBB5BF48314F148169E816BB355DB789844CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02B95090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B951A2

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f2362e95147c6b7d1de07abd0760199028fb3986ac87c4c95062c614a71708cd
Instruction ID: 99d768cfd0425045e95296fa425f737f71355396dd6d1b4aee1ba79e4988c363
Opcode Fuzzy Hash: f2362e95147c6b7d1de07abd0760199028fb3986ac87c4c95062c614a71708cd
Instruction Fuzzy Hash: B541D0B1D003189FDF15CFA9C984ADEBBB5FF48314F64812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B9508F, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B951A2

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6880eb4861ddfcc94183630a81d1b465c0751cdb4393a5162b139b8350ec06c6
Instruction ID: 105e63c9a3202cede605b5b7aa3f8c0737dfdbf5dc387de64ae938fe351a9cb7
Opcode Fuzzy Hash: 6880eb4861ddfcc94183630a81d1b465c0751cdb4393a5162b139b8350ec06c6
Instruction Fuzzy Hash: B741C0B1D003589FDF25CFA9C984ADEBBB1FF48314F64812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B9779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02B97F01

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 708f88e93b183715c8dea050380bd69d7cb8b746f9f04f3a1a7ccdf48d28724d
Instruction ID: d2685b691d755cd09c07bb0c8046dc0ea15c53e3711ee3fb5d5dcbd1c320eae1
Opcode Fuzzy Hash: 708f88e93b183715c8dea050380bd69d7cb8b746f9f04f3a1a7ccdf48d28724d
Instruction Fuzzy Hash: BB4129B5A006458FDB14CF99C488BAAFBF9FB88314F258499E519AB311D734A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05F6C820, Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 05F6CEC0

Memory Dump Source

Source File: 00000003.00000002.483238713.0000000005F60000.00000040.00000001.sdmp, Offset: 05F60000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 6fd79efd627a7c01999064d649b1cee43b609b9ddef0990fc32e3f711708fdaa
Instruction ID: 5a6e221baa1dd4cb75f69f61c674c658593c741737c9dccf6365dd292da3f934
Opcode Fuzzy Hash: 6fd79efd627a7c01999064d649b1cee43b609b9ddef0990fc32e3f711708fdaa
Instruction Fuzzy Hash: 7C3101B0D01209DFDB10CF99C984BDEBBF5BF48314F14801AE449AB390D774A949CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05F6CE2D, Relevance: 1.6, APIs: 1, Instructions: 73comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 05F6CEC0

Memory Dump Source

Source File: 00000003.00000002.483238713.0000000005F60000.00000040.00000001.sdmp, Offset: 05F60000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: a47b47e7cbdc98f01920133eecb74ce932364e4da3553082b40498f9d375fbde
Instruction ID: 6148279ab5454623718a9dfb7d78b9113c746db5d31a0f3d3ac5729622a76191
Opcode Fuzzy Hash: a47b47e7cbdc98f01920133eecb74ce932364e4da3553082b40498f9d375fbde
Instruction Fuzzy Hash: 6F3101B0D00209DFDB10CF98C985BCEBBF5BF48314F248019E449AB790D778A949CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B96B61, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B96BEF

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e80ec52a2d61ed40db5d225f0be8ceec00582a22436ad96ad058fc6c982a1c5a
Instruction ID: dfb461c09cb57c1e1e45a182be08144c04452b61bab996b56384d40c78e17e25
Opcode Fuzzy Hash: e80ec52a2d61ed40db5d225f0be8ceec00582a22436ad96ad058fc6c982a1c5a
Instruction Fuzzy Hash: CC2112B5D002489FDF10CFA9D984AEEBBF4EB48324F14846AE914A7310D778A955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B96B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B96BEF

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 12eb20a344bc9e682a2488d638e3c6cf37e40de3de34f7b8ea0cffbae361a86b
Instruction ID: a608dd8ad61e4ce02dbfaad7946bea20bec07cf46acb2a8bda6ffb9159e9a641
Opcode Fuzzy Hash: 12eb20a344bc9e682a2488d638e3c6cf37e40de3de34f7b8ea0cffbae361a86b
Instruction Fuzzy Hash: D921F3B5D002489FDF10CFA9D984ADEBBF8FB48324F14842AE915A7310D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B9C1A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02B9C222

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 30237bf07a2699f0360078364cfb882312d5917985291c7e7874b3dc36e24e4c
Instruction ID: dedf31e45706f242cd8ac1c79afca354a0e559117d0f46d90e923f53a7b2ea5b
Opcode Fuzzy Hash: 30237bf07a2699f0360078364cfb882312d5917985291c7e7874b3dc36e24e4c
Instruction Fuzzy Hash: 401186B1A003088FCF50DFA9D9087DEBBF4EB48714F20846AD405A7600C7386949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B9C1A7, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02B9C222

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 80dfdb4c5fe6c2892c9ae00de263f94b7733e2197f6e112fc66bc8658eef0ccb
Instruction ID: 2c364f2209ef7ad12be98eaa7318212f8ee3b47b649d24b7a4ba2b14d2d08b5d
Opcode Fuzzy Hash: 80dfdb4c5fe6c2892c9ae00de263f94b7733e2197f6e112fc66bc8658eef0ccb
Instruction Fuzzy Hash: 6C1186B2A003088FCF60DFA9D9483DEBFF0EB48714F24856AD445A7600C7385949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B940AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02B94116

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e709dfda5c0d5454b76983e9a5b7e94da34ba7797c8b121142fadd9a261cafcd
Instruction ID: 214627b15053f87d3f889292082eeb99db0458ad5b63ae8787e79b86443b633f
Opcode Fuzzy Hash: e709dfda5c0d5454b76983e9a5b7e94da34ba7797c8b121142fadd9a261cafcd
Instruction Fuzzy Hash: 831104B6D006498FDB10CFAAC444BDEFBF4EF89224F15846AD459B7600C375A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B93300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02B94116

Memory Dump Source

Source File: 00000003.00000002.478417570.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9cd1a5e212cb4f78e9b28ae48b989d7bb014b3a38b84477e6b52f2f3d1af1129
Instruction ID: 4fea2d2f8b4e62ca6895feacd9b4eb424c1d7c97048a1cda876005a58cb1693a
Opcode Fuzzy Hash: 9cd1a5e212cb4f78e9b28ae48b989d7bb014b3a38b84477e6b52f2f3d1af1129
Instruction Fuzzy Hash: 651102B6D006498FDB10CF9AC444BDEFBF4EB89224F15846AD829B7600D374A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05F6C158, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05F6C11F), ref: 05F6C1BF

Memory Dump Source

Source File: 00000003.00000002.483238713.0000000005F60000.00000040.00000001.sdmp, Offset: 05F60000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4a96a14d47dad3ea0a465b3fe948916f96a3d58cff1ff52e8b1f60689c8b50e2
Instruction ID: 3b9a38e60ccbe13725f6302db94c423397fe7d471c66358cc6f2322dd5dbe6ad
Opcode Fuzzy Hash: 4a96a14d47dad3ea0a465b3fe948916f96a3d58cff1ff52e8b1f60689c8b50e2
Instruction Fuzzy Hash: 0A11F5B5D006488FCB10DF99D8847DEBBF4EB48324F24841AD559A7600D778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05F6924C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05F6C11F), ref: 05F6C1BF

Memory Dump Source

Source File: 00000003.00000002.483238713.0000000005F60000.00000040.00000001.sdmp, Offset: 05F60000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d37b8c729949b6e16019606271bce908f9e423223150c59f23f65d8dcb1aa5db
Instruction ID: d0c3af867663827591c948be30f6d53c175b8e55c0b12cf4e57de8830ffa1c8c
Opcode Fuzzy Hash: d37b8c729949b6e16019606271bce908f9e423223150c59f23f65d8dcb1aa5db
Instruction Fuzzy Hash: FC1125B59046488FCB10DF99C8847DEBBF8EB48324F14841AE559A7700D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05F6C70C, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05F6CD45

Memory Dump Source

Source File: 00000003.00000002.483238713.0000000005F60000.00000040.00000001.sdmp, Offset: 05F60000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4df098ac8fc259a49e67d2b7f46dd31a0dffaf9e977813fd0f13c5685b2eddf9
Instruction ID: f49347328fd887dc77f556c7970444f807baeae942d17eb5883dd2b475e7a0fd
Opcode Fuzzy Hash: 4df098ac8fc259a49e67d2b7f46dd31a0dffaf9e977813fd0f13c5685b2eddf9
Instruction Fuzzy Hash: FB1145B1D006488FCB10DF99D844BDEBBF4EB48324F108419D559B7600C778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05F6CCE8, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05F6CD45

Memory Dump Source

Source File: 00000003.00000002.483238713.0000000005F60000.00000040.00000001.sdmp, Offset: 05F60000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ba6beb0a578d050d97be8ce39fd54dcf64d2efea0c83893ff0aed7da8c875cb7
Instruction ID: 963ef757b8a2aab1e3341a56141ef4c800e07f7d664c1debb8fd23834959d02a
Opcode Fuzzy Hash: ba6beb0a578d050d97be8ce39fd54dcf64d2efea0c83893ff0aed7da8c875cb7
Instruction Fuzzy Hash: FE1112B5D006488FDB10DF99D885BDEBBF4EB48324F14841AD569A7600C778A948CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F1BFDF, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524f459f363fd5258ed5c776c9dbf801dd7a392ea8029f2e4511d5d730ddb4e3
Instruction ID: 58bbbe3cde4d024478f06d23cea6fa0be39f0af87b36405abb8fb73ea3343410
Opcode Fuzzy Hash: 524f459f363fd5258ed5c776c9dbf801dd7a392ea8029f2e4511d5d730ddb4e3
Instruction Fuzzy Hash: 7BA1DE72E402059FCB24DBA8C890AFEB7F6AF84310F15842AD616DB251DB35DD86DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F16878, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd673e457c71f8841262be1d16d4d8479c1c3a9caaefde12b8cf4d2bd1f1eb5d
Instruction ID: 51e5c65cdf330c314769987e99582a29e7a08e1df180c8cd15186b7bde30de2f
Opcode Fuzzy Hash: cd673e457c71f8841262be1d16d4d8479c1c3a9caaefde12b8cf4d2bd1f1eb5d
Instruction Fuzzy Hash: 1E81BD31B00115AFCF14EF64C855BEE76A6AF88364F148929FA06DB380DB749C91DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F1A2B0, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb35580f37d9a588d9b3aea37978ca4f3ffffd3bd66dd9d7f6987f468374625
Instruction ID: 114a60d75210b109239e3f0f10eec06555e65c6eef34cbaf55ca3c8f55597a03
Opcode Fuzzy Hash: 1eb35580f37d9a588d9b3aea37978ca4f3ffffd3bd66dd9d7f6987f468374625
Instruction Fuzzy Hash: D471C235B0D3858FD702D77888147A67BF66B86300F0984F6D558DB393EA78DC0A8762

Uniqueness

Uniqueness Score: -1.00%

Function 00F192A8, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4085b72fc9fc4c5fab1b3acd0a20e0e3cc0d8f47ea41ec7daba23fc3a2b51b8c
Instruction ID: 565e3dec4dd7e6002d921624a5643b9d0139a93e06096b81204706a2fe71926e
Opcode Fuzzy Hash: 4085b72fc9fc4c5fab1b3acd0a20e0e3cc0d8f47ea41ec7daba23fc3a2b51b8c
Instruction Fuzzy Hash: A3817935B041048FCB54EF78D49899DB7F2EF88324B1584A9E50ADB365EB71EC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1C120, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adce89ffb6166472ab9b7f291146d082d95e713f1537ee134e26731497c26a1d
Instruction ID: 0c73ffd6a729f1d3901a5379d2fbb35731e9ccb703c79adb637bdc56922f56fc
Opcode Fuzzy Hash: adce89ffb6166472ab9b7f291146d082d95e713f1537ee134e26731497c26a1d
Instruction Fuzzy Hash: 1361BF71B402458FDB149BA9C890BFEB7F6AF84310F14842AE502DB351DA38DD829BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F192A4, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e9029afa038b4e8d9ffae0665275b9ce3838e45e32265a44df5d2a9fe735e6
Instruction ID: ef43d3bb589ca177563efab280643fa887c1108db78402c5527af89e112e2ef8
Opcode Fuzzy Hash: 86e9029afa038b4e8d9ffae0665275b9ce3838e45e32265a44df5d2a9fe735e6
Instruction Fuzzy Hash: 78614734B101048FC758EF38D49899DBBF2AF89314B1685A9E60ACB775EB71EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F1EDE0, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39bb3785dcfe510535c9be8b2508e95b5777492201a9f0d3475dec597dd0d07
Instruction ID: 3cdaf593b5a33435917d0cec292c70a54efbf230332c162ff36929bb1da75692
Opcode Fuzzy Hash: b39bb3785dcfe510535c9be8b2508e95b5777492201a9f0d3475dec597dd0d07
Instruction Fuzzy Hash: 6451E534B093858FC702D7B8981469A7FF6AF86310B19C4F6D548DB396DB38DC0A8752

Uniqueness

Uniqueness Score: -1.00%

Function 00F1F6C8, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633ea5689f6316f4788a9dd309eab135b29ac0ff3561a3007c836b34654a07c8
Instruction ID: c36a1367f3ce17f763325391a94c76645043097a6c28e2fbf609e32f0428f421
Opcode Fuzzy Hash: 633ea5689f6316f4788a9dd309eab135b29ac0ff3561a3007c836b34654a07c8
Instruction Fuzzy Hash: CC51F530B092495FDB15A778D8543ED7BB6AF85364F1880BAD504DF282DB748C8987A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1CEC0, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6d171adb2c0c801620a53e4750905a7736f6279a2f6306e40acbbf2cbf91ae
Instruction ID: 57b768f5ae41615809117da356121c910cff41c7d4eff6911e9d3193e00ea40f
Opcode Fuzzy Hash: ee6d171adb2c0c801620a53e4750905a7736f6279a2f6306e40acbbf2cbf91ae
Instruction Fuzzy Hash: 89519F31B002048BCB14EBB8D85469DB3F2AF88358B258978D515DB758DF31EC868BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1A0A7, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d833316cc65342cea10c9b31a3d6bdbcb5e943f0c98e7a7ca42db214c827ba71
Instruction ID: 4c25f7c7bc5998b777e411fead547bc2afb9b3cf794879f2fdb644ed85d8ef50
Opcode Fuzzy Hash: d833316cc65342cea10c9b31a3d6bdbcb5e943f0c98e7a7ca42db214c827ba71
Instruction Fuzzy Hash: 1A414231F015559FD7249778C8147EDB6A2AF88324F158179CA29EF7D1DB318C82DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F1DC30, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fe62985f0f0a41028231d3e7fcef16df4fb6dcf43850510ce4c6d7c7164424
Instruction ID: ef035f6932eeac43ce132118dbf0787fddd9f14b7e4e64b2360163183544d6c0
Opcode Fuzzy Hash: 67fe62985f0f0a41028231d3e7fcef16df4fb6dcf43850510ce4c6d7c7164424
Instruction Fuzzy Hash: 6641AC30F042049FCF55ABB9D85969EB7F6AF88310B104839EA15EB344EFB99D418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00F1F88C, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5152e6d07319b69f3befd74ff7e07569ba01bb566edad3bf25ae1416538cf2ca
Instruction ID: 7ebac04d708408b1457eae827e81e832cc76f8bf6c42d63edd82688816bde8da
Opcode Fuzzy Hash: 5152e6d07319b69f3befd74ff7e07569ba01bb566edad3bf25ae1416538cf2ca
Instruction Fuzzy Hash: 26410B30E082459FDB159B78D8547ED7BB2EF85324F1884BAD445EF282DB348C89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F1F4E0, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44467da75fc3247eb474a936133e3a115c93312439cb3a906a1dee48aa0c0bd8
Instruction ID: 6463c2e280e2280708bcf2087a92d0bef6ca1a2644df9e2c78b1e90d6764f924
Opcode Fuzzy Hash: 44467da75fc3247eb474a936133e3a115c93312439cb3a906a1dee48aa0c0bd8
Instruction Fuzzy Hash: 3731B030B092858FD702DBB8D8146D97BB6AF46314F1880B6D054DB392DB74DD49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F10006, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f789461a5f64c0a3e374dff06e4bffd5cc3c6657ee199f5cdd173a399c15bf69
Instruction ID: b951932d5c798c5a4d5e9ea59b1da918276811af115a232936f8dff570f330e2
Opcode Fuzzy Hash: f789461a5f64c0a3e374dff06e4bffd5cc3c6657ee199f5cdd173a399c15bf69
Instruction Fuzzy Hash: 0431F931A492818FD705CB74C9257E93BF1AF4E310F1540EAD405EB7A2DEB58C85E761

Uniqueness

Uniqueness Score: -1.00%

Function 00F1F5FC, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a972756810d8ddedac4d0c6ec49b7abd092f043ac01e0183acb63fbdf6097e
Instruction ID: 34304798e5ed26c6d93ea81da955a7f3a412dc7b5c1cdf7a8352d7b874a9f3a2
Opcode Fuzzy Hash: 88a972756810d8ddedac4d0c6ec49b7abd092f043ac01e0183acb63fbdf6097e
Instruction Fuzzy Hash: CE318430E192888FCB06CBB8D8546DCBFB1AF4A315F1980FAD045EB2A2C7748D49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F1E440, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5efb87ea94581270be394c0a946bf72b23b1f21c110da3e088cd9bfcbdc1b56d
Instruction ID: 4ba3c40233c2e4e285f1cdd0a1197a8671f09827269655a6a7827e449ac05531
Opcode Fuzzy Hash: 5efb87ea94581270be394c0a946bf72b23b1f21c110da3e088cd9bfcbdc1b56d
Instruction Fuzzy Hash: 8421E239F052448FCB41EB78D854AAEB7F2AF88300B148579D249D7355EB34DC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F1E560, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b126d6a9dc386b3dce4ecd835a290f7d0bb27dfb909c46fd014a944932f5a48
Instruction ID: 7c0da15f3ca21e090314dc5d054f33456d14f57aaaf1b3d8d0e2ac34d4fbad95
Opcode Fuzzy Hash: 9b126d6a9dc386b3dce4ecd835a290f7d0bb27dfb909c46fd014a944932f5a48
Instruction Fuzzy Hash: 0221BD35F042498FCB41EB78D854AAEBBF2AF88300B54897AD649D7354EF349C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F10040, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37df81d8a3ada16f35cd46bbf8e1454e4225691f72df74f408c437d35763b7c9
Instruction ID: 18130d4ee654e037f760912a684a945079dd29c6d47dac756f9aab171e29757c
Opcode Fuzzy Hash: 37df81d8a3ada16f35cd46bbf8e1454e4225691f72df74f408c437d35763b7c9
Instruction Fuzzy Hash: 3C218031B441059FDB18DB78C919BEE76E6AF8C724F208169E505EB3A0DFB18CC4A791

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B6D0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060bd5a7d185749cf35db38ab00f2209e1369708ea112d77fdcaed7eacea9c75
Instruction ID: a09aae81da220cc1a41fc01ee5563c76566d64c9db5a80eb2ec5377100357cf5
Opcode Fuzzy Hash: 060bd5a7d185749cf35db38ab00f2209e1369708ea112d77fdcaed7eacea9c75
Instruction Fuzzy Hash: 3F114F2471D3859FD703933888246567BB59B86304F1AC1E3D088CB2D7D668DD0AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00F1DC2C, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b176789972c726233cbe66288b4922ada1d7d0a3719159b14ec173c8db2ac199
Instruction ID: e387bfca0ce394a5805cda2406fbd1cc27a22e15203bbdfed00bce7a0f74fe55
Opcode Fuzzy Hash: b176789972c726233cbe66288b4922ada1d7d0a3719159b14ec173c8db2ac199
Instruction Fuzzy Hash: A9110275F002159FCF54ABB898553AE77F2AF88210F104A39E605EB784EF798C4187C0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1BF50, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba0d02c7150497e820a43fc80c8eeae7e29864c0ede17fd67542fe7599d86d3
Instruction ID: e7299674e56a8c21fa9e85f6f911adf83c64a3d74d5a10ccd58577f4b3dcc16f
Opcode Fuzzy Hash: 3ba0d02c7150497e820a43fc80c8eeae7e29864c0ede17fd67542fe7599d86d3
Instruction Fuzzy Hash: 8B110835F083008FC7159BB498187AAB7EA9FC1315F0488AAE055C7652DB75DC86C700

Uniqueness

Uniqueness Score: -1.00%

Function 00F19184, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d687687d3387189d53b6d43e2b6b93ce48b983a9af517ada9811f8166a370
Instruction ID: cf41bce79bce070c01ed9820aa164ed6ef2a9c811f067d72b84acec9e6202e9c
Opcode Fuzzy Hash: 5a3d687687d3387189d53b6d43e2b6b93ce48b983a9af517ada9811f8166a370
Instruction Fuzzy Hash: 4C117C36F001158F8B80EFB8D855AAEB7F2AF8C2007508469D209E7754EF349D468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F19188, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6eaf51048a61b9380bafc5c995a9a9e7da575203bbd717d068c066ea7acc80
Instruction ID: ac683f6745b5b68363fcb617f6336ba737e230de42c272cbf2eabd7919e36361
Opcode Fuzzy Hash: ca6eaf51048a61b9380bafc5c995a9a9e7da575203bbd717d068c066ea7acc80
Instruction Fuzzy Hash: 45117C36F001199F8B40EFBCD854AAEB7F1AF8C2107508069E209E7354EF749D428BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1BEF7, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5553582e4e67e2799f7b41b210d6099edc7416026718714ac4a53dbe53c6a0a2
Instruction ID: 5e234d9c2daa5a274aae70f0ecbae7a03cb0e947f4b8fb1c7ea32ed90cdaa862
Opcode Fuzzy Hash: 5553582e4e67e2799f7b41b210d6099edc7416026718714ac4a53dbe53c6a0a2
Instruction Fuzzy Hash: D4F0E921B1C1918FC315833968147FABBF95FC1211B0844AAE149CB663DB648C47D741

Uniqueness

Uniqueness Score: -1.00%

Function 00F1CEB9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8657319ae637b27f43a7af8ad86dd3f4ce3928e875197f5c38702be1b379d5b1
Instruction ID: c4dbbe4252096eec92377eae43ff6c94bc7367bee3a28baf573c87114d7fe014
Opcode Fuzzy Hash: 8657319ae637b27f43a7af8ad86dd3f4ce3928e875197f5c38702be1b379d5b1
Instruction Fuzzy Hash: 37F02737F10104CBD710AB79ED013E973B6EB88364F008836DA05E7708EB32AC869B90

Uniqueness

Uniqueness Score: -1.00%

Function 00F1A4EF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c81b88bc02d0ce77e93287d1d9cd9deb7e9571960b3d67c9f49b659a37db5e4
Instruction ID: eb4e911b3fdd0d54163ada159283cb8d8328f50ec27d50f2bfe69d6c9a32aace
Opcode Fuzzy Hash: 0c81b88bc02d0ce77e93287d1d9cd9deb7e9571960b3d67c9f49b659a37db5e4
Instruction Fuzzy Hash: 7FE0ED36B000148B9F44FBBCE8444DDB3F2FF88261B148079D60AE7354DE349C058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F1E4EF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e65b76103f92f56fc21b5caa32d98d78067c1d2a2204aafddc6c89cc6d89bd7
Instruction ID: 2e7001c2fee94658b7faf834cb8c1408b75ea61cb407958abc3c8fedf5509a59
Opcode Fuzzy Hash: 4e65b76103f92f56fc21b5caa32d98d78067c1d2a2204aafddc6c89cc6d89bd7
Instruction Fuzzy Hash: 9FE0ED3AB000148B8F44EBBCD8444DDB3F2FFC826571440B8D60AD7354EE349C058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F1E60F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d562418501b69b688bc6587542bd87c46373b099fce031eabf83bc79e91a9b
Instruction ID: 2940c04ae783a22b6fca4b198c13400943e00045431cbcabbd20cfef96b18d1a
Opcode Fuzzy Hash: 95d562418501b69b688bc6587542bd87c46373b099fce031eabf83bc79e91a9b
Instruction Fuzzy Hash: 17E0C936B000148B8F44EBB8D8559DD73E2AF88261B1480A9D609D7354DE349C058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F191E7, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e072bce55f486a17052f52589cc768956a4daac7713ae39855339f7afeea58
Instruction ID: d7518ac9e7af26053f0d8eafc63677a37c409d5521a1e03c3997fea76dbb44a2
Opcode Fuzzy Hash: 09e072bce55f486a17052f52589cc768956a4daac7713ae39855339f7afeea58
Instruction Fuzzy Hash: 9BE0C936B000148B8F44EBB8D8554DD73F2EF89255B1480B8D609D7354DE349D468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1EF7F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8595a0829916a9dd2b82eab1296556e47a849290f412087c443cc12d0d3b0a26
Instruction ID: e0c3a766c5871691a74b8af0771d532217fa47b6cfb612b5d8486372ee350a00
Opcode Fuzzy Hash: 8595a0829916a9dd2b82eab1296556e47a849290f412087c443cc12d0d3b0a26
Instruction Fuzzy Hash: 09E0ED3AB000188B9F44EBBCE8455DDB3F2FF883617148079D609D7354DE349C158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1BF4F, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476446601.0000000000F10000.00000040.00000001.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404045c1ae695c316d58d05439f5918c7c128aff9b0bb0cbc64f1d6d141f6f8
Instruction ID: 57dabb1c5eefd6aa2be0faa6aa952b08cb4313bef542d88df786abab8e6bcc8e
Opcode Fuzzy Hash: a404045c1ae695c316d58d05439f5918c7c128aff9b0bb0cbc64f1d6d141f6f8
Instruction Fuzzy Hash: A9D05E36B441205BD754867E2C58AFEABEF8BC5761B0841BAF509C3281CEA68C17D750

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.PackedNET.645.19369.30388

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre