Play interactive tour

Edit tour

Analysis Report SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Overview

General Information

Sample Name:	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Analysis ID:	432708
MD5:	d482d04bd4113f1f9f08e39bca4a3f27
SHA1:	783f25f265c34681ffca9e5c8ac5bebecc71bbc6
SHA256:	9973c00cf203198a16d3d897fa85d46896f04ea9d58b23917eaea32a3de4d5e4
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Process Start Without DLL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SAUDI ARAMCO Tender Documents - BOQ and ITB.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe' MD5: D482D04BD4113F1F9F08E39BCA4A3F27)

schtasks.exe (PID: 6824 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6904 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "admin@dangotesugars.com08102186737CEOus2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6904	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6904	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
5.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.42883f0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.42883f0.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Process Start Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe' , ParentImage: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, ParentProcessId: 6556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6904

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe' , ParentImage: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, ParentProcessId: 6556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6904

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "admin@dangotesugars.com08102186737CEOus2.smtp.mailhostbox.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe

ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Show sources

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Virustotal: Detection: 30%			Perma Link
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	ReversingLabs: Detection: 15%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Joe Sandbox ML: detected

Source: 5.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb< source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

1_2_0E80DB38

Source: global traffic

TCP traffic: 192.168.2.6:49756 -> 208.91.199.223:587

Source: Joe Sandbox View

IP Address: 208.91.199.223 208.91.199.223

Source: global traffic

TCP traffic: 192.168.2.6:49756 -> 208.91.199.223:587

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369600695.00000000031A1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	String found in binary or memory: http://xaqngD.com
Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	String found in binary or memory: https://Tw98FI5QiWYWE4R7ojW.com
Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 5.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b4FF9C728u002d7C57u002d40C2u002dBE9Cu002d6335DB58B1AFu007d/B8E47775u002d22E9u002d4EE8u002d9FD7u002d974F8284310E.cs	Large array initialization: .cctor: array initializer size 11966
Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b4FF9C728u002d7C57u002d40C2u002dBE9Cu002d6335DB58B1AFu007d/B8E47775u002d22E9u002d4EE8u002d9FD7u002d974F8284310E.cs	Large array initialization: .cctor: array initializer size 11966

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0313C2B0	1_2_0313C2B0
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_03139970	1_2_03139970
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_09257A60	1_2_09257A60
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0925ACD0	1_2_0925ACD0
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0925BFF8	1_2_0925BFF8
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0925CEF8	1_2_0925CEF8
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0925B578	1_2_0925B578
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0925E900	1_2_0925E900
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_09257A51	1_2_09257A51
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0925AFB0	1_2_0925AFB0
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0925EFC8	1_2_0925EFC8
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0925F1E8	1_2_0925F1E8
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_09250006	1_2_09250006
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_09250040	1_2_09250040
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0925A0E1	1_2_0925A0E1
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0925F428	1_2_0925F428
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_092574A0	1_2_092574A0
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_092574B0	1_2_092574B0
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0E808650	1_2_0E808650
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0E809420	1_2_0E809420
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0E80CC78	1_2_0E80CC78
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Code function: 1_2_0E808D80	1_2_0E808D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F0EDB0	5_2_00F0EDB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F04180	5_2_00F04180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F0CD80	5_2_00F0CD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F042DD	5_2_00F042DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F09F28	5_2_00F09F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F0AE00	5_2_00F0AE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_015646A0	5_2_015646A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01563D50	5_2_01563D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01564672	5_2_01564672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01564690	5_2_01564690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0156D2E0	5_2_0156D2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06066C60	5_2_06066C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06067530	5_2_06067530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_060690F0	5_2_060690F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06066918	5_2_06066918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_060624B0	5_2_060624B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 0606BED8 appears 46 times

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKygo.dll* vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWvRNvQqDKFGGvAlWFhquDEcwrJemX.exe4 vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.377690232.000000000ED90000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.368738849.0000000000ED2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRegistryValueOptions.exeZ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.376636365.00000000090B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.378103149.000000000EE80000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.378103149.000000000EE80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Binary or memory string: OriginalFilenameRegistryValueOptions.exeZ vs SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sXNiyYIFndkxd.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.0.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/5@2/1

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

File created: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Mutant created: \Sessions\1\BaseNamedObjects\jGmaaFOdSHSnPJ

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2894.tmp

Jump to behavior

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Virustotal: Detection: 30%
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

File read: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe 'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe'
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb< source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\XobOtjQJOq\src\obj\x86\Debug\RegistryValueOptions.pdb source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, Aspiring_Rookie/DebuggableAttribute.cs	.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: sXNiyYIFndkxd.exe.1.dr, Aspiring_Rookie/DebuggableAttribute.cs	.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.de0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs	.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.de0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs	.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_3_05E0A011 push eax; retf	5_3_05E0A017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F0888A push 8BFFFFFFh; retf	5_2_00F08890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0606A61F push es; iretd	5_2_0606A63C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0606ED73 push eax; ret	5_2_0606EE51

Source: initial sample	Static PE information: section name: .text entropy: 7.86709142883
Source: initial sample	Static PE information: section name: .text entropy: 7.86709142883

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	File created: \saudi aramco tender documents - boq and itb.exe
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	File created: \saudi aramco tender documents - boq and itb.exe
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	File created: \saudi aramco tender documents - boq and itb.exe	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	File created: \saudi aramco tender documents - boq and itb.exe	Jump to behavior

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

File created: C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1927			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7912			Jump to behavior

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe TID: 6560	Thread sleep time: -102923s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe TID: 6604	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Thread delayed: delay time: 102923	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000005.00000002.607253583.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000005.00000002.607086422.0000000005E05000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT"
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000005.00000002.607253583.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000005.00000002.607253583.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000005.00000002.607253583.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00F01328 LdrInitializeThunk,

5_2_00F01328

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C94008	Jump to behavior

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: RegSvcs.exe, 00000005.00000002.601979809.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000005.00000002.601979809.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000005.00000002.601979809.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegSvcs.exe, 00000005.00000002.601979809.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_060663F4 GetUserNameW,

5_2_060663F4

Source: C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.42883f0.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6904, type: MEMORY
Source: Yara match	File source: Process Memory Space: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556, type: MEMORY
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.42883f0.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6904, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.42883f0.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6904, type: MEMORY
Source: Yara match	File source: Process Memory Space: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556, type: MEMORY
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.43a6a70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.42883f0.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection212	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information11	Credentials in Registry1	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information4	Security Account Manager	System Information Discovery114	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery321	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion141	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection212	DCSync	Virtualization/Sandbox Evasion141	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	30%	Virustotal		Browse
SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	15%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
SAUDI ARAMCO Tender Documents - BOQ and ITB.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe	15%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File
5.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://Tw98FI5QiWYWE4R7ojW.com	0%	Avira URL Cloud	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://xaqngD.com	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false		high
http://www.tiro.com	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://Tw98FI5QiWYWE4R7ojW.com	RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp	false		high
https://api.ipify.org%$	RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false		high
http://ocsp.sectigo.com0A	RegSvcs.exe, 00000005.00000002.603275086.0000000003029000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://xaqngD.com	RegSvcs.exe, 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.369600695.00000000031A1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.374301405.0000000006280000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe, 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.199.223	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432708
Start date:	10.06.2021
Start time:	17:30:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/5@2/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 148 Number of non-executed functions: 12
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.255.188.83, 92.122.145.220, 168.61.161.212, 13.64.90.137, 20.82.210.154, 2.20.142.209, 2.20.142.210, 51.103.5.159, 20.72.88.19, 20.54.26.129, 92.122.213.194, 92.122.213.247, 184.30.24.56 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, vip1-par02p.wns.notify.trafficmanager.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:31:18	API Interceptor	1x Sleep call for process: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe modified
17:31:38	API Interceptor	670x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
208.91.199.223	0PyeqVfoHGFVl2r.exe	Get hash	malicious	Browse
	Urgent Contract Order GH78566484,pdf.exe	Get hash	malicious	Browse
	ekrrUChjXvng9Vr.exe	Get hash	malicious	Browse
	order 4806125050.xlsx	Get hash	malicious	Browse
	BP4w3lADAPfOKmI.exe	Get hash	malicious	Browse
	PO -TXGU5022187.xlsx	Get hash	malicious	Browse
	FXDmHIiz25.exe	Get hash	malicious	Browse
	Urgent Contract Order GH7856648,pdf.exe	Get hash	malicious	Browse
	003BC09180600189.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Scr.Malcodegdn30.30554.exe	Get hash	malicious	Browse
	MOQ FOB ORDER_________.exe	Get hash	malicious	Browse
	YR1eBxhF96.exe	Get hash	malicious	Browse
	Quote SEQTE00311701.xlsx	Get hash	malicious	Browse
	sqQyO37l3c.exe	Get hash	malicious	Browse
	Urgent RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse
	INVOICE FOR PAYMENT_pdf____________________________________________.exe	Get hash	malicious	Browse
	MOQ FOB ORDER.exe	Get hash	malicious	Browse
	Txw9tCLc1Q.exe	Get hash	malicious	Browse
	E8aAJC09lVhRGbK.exe	Get hash	malicious	Browse
	payment confirmation copy.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	0PyeqVfoHGFVl2r.exe	Get hash	malicious	Browse	208.91.199.223
	SecuriteInfo.com.MachineLearning.Anomalous.97.15449.exe	Get hash	malicious	Browse	208.91.198.143
	lFccIK78FD.exe	Get hash	malicious	Browse	208.91.198.143
	Urgent Contract Order GH78566484,pdf.exe	Get hash	malicious	Browse	208.91.199.225
	MOQ FOB ORDER.exe	Get hash	malicious	Browse	208.91.199.225
	JK6Ul6IKioPWJ6Y.exe	Get hash	malicious	Browse	208.91.198.143
	ekrrUChjXvng9Vr.exe	Get hash	malicious	Browse	208.91.199.223
	SecuriteInfo.com.Trojan.PackedNET.832.15445.exe	Get hash	malicious	Browse	208.91.198.143
	order 4806125050.xlsx	Get hash	malicious	Browse	208.91.198.143
	SecuriteInfo.com.Trojan.PackedNET.831.28325.exe	Get hash	malicious	Browse	208.91.199.225
	G8mumaTxk5kFdBG.exe	Get hash	malicious	Browse	208.91.198.143
	Trial order 20210609.exe	Get hash	malicious	Browse	208.91.199.224
	BP4w3lADAPfOKmI.exe	Get hash	malicious	Browse	208.91.199.223
	4It7P3KCyYHUWHU.exe	Get hash	malicious	Browse	208.91.199.225
	PO -TXGU5022187.xlsx	Get hash	malicious	Browse	208.91.199.223
	Bestil 5039066002128.exe	Get hash	malicious	Browse	208.91.199.224
	COMPANY DOCUMENTS.exe	Get hash	malicious	Browse	208.91.199.225
	FXDmHIiz25.exe	Get hash	malicious	Browse	208.91.199.223
	Urgent Contract Order GH7856648,pdf.exe	Get hash	malicious	Browse	208.91.198.143
	SecuriteInfo.com.Trojan.MalPack.ADC.15816.exe	Get hash	malicious	Browse	208.91.198.143

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	0PyeqVfoHGFVl2r.exe	Get hash	malicious	Browse	208.91.199.223
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	207.174.212.247
	SecuriteInfo.com.MachineLearning.Anomalous.97.15449.exe	Get hash	malicious	Browse	208.91.198.143
	lFccIK78FD.exe	Get hash	malicious	Browse	208.91.198.143
	Order10 06 2021.doc	Get hash	malicious	Browse	162.215.241.145
	PO187439.exe	Get hash	malicious	Browse	119.18.54.126
	Urgent Contract Order GH78566484,pdf.exe	Get hash	malicious	Browse	208.91.199.223
	MOQ FOB ORDER.exe	Get hash	malicious	Browse	208.91.199.225
	JK6Ul6IKioPWJ6Y.exe	Get hash	malicious	Browse	208.91.198.143
	ekrrUChjXvng9Vr.exe	Get hash	malicious	Browse	208.91.199.223
	SecuriteInfo.com.Trojan.PackedNET.832.15445.exe	Get hash	malicious	Browse	208.91.198.143
	order 4806125050.xlsx	Get hash	malicious	Browse	208.91.199.223
	Bank Swift.doc	Get hash	malicious	Browse	162.215.241.145
	SecuriteInfo.com.Trojan.PackedNET.831.28325.exe	Get hash	malicious	Browse	208.91.199.225
	Trial order 20210609.exe	Get hash	malicious	Browse	208.91.199.224
	BP4w3lADAPfOKmI.exe	Get hash	malicious	Browse	208.91.199.223
	4It7P3KCyYHUWHU.exe	Get hash	malicious	Browse	208.91.199.225
	PO -TXGU5022187.xlsx	Get hash	malicious	Browse	208.91.199.223
	Bestil 5039066002128.exe	Get hash	malicious	Browse	208.91.199.224
	Doc2000120201.xls	Get hash	malicious	Browse	103.21.59.173

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe.log Download File
Process:	C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp2894.tmp Download File
Process:	C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	5.165150822696325
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3+Otn:cbha7JlNQV/rydbz9I3YODOLNdq3n
MD5:	3D4A4232313A8C77051BC8881B947A49
SHA1:	56E98C5408F3D45EC82B03C3CCF511C8A972AE49
SHA-256:	7124E726CC2893A43A14639936466452A4656D461D34F5C41EADA3F5B22E4EAE
SHA-512:	43A7C2FCD3B29B73986215E72BF6E68E62D6EA94D2693C7A990A89076352DCBFD71FBA96DEC0991D306153603EE513BDDDA8361C7D41280045AC2325C0F5FB98
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Roaming\djtasvra.svm\Chrome\Default\Cookies Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe Download File
Process:	C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	979968
Entropy (8bit):	7.860191369488232
Encrypted:	false
SSDEEP:	12288:zMRIOXqxYM9iIfFKfffFZgK5tRevE7I/JUKg1PEGdvGM62zn1XuyvqwcgabMNLYE:YtDtRPI/Ff152z8iq9gVnNeBUdt
MD5:	D482D04BD4113F1F9F08E39BCA4A3F27
SHA1:	783F25F265C34681FFCA9E5C8AC5BEBECC71BBC6
SHA-256:	9973C00CF203198A16D3D897FA85D46896F04EA9D58B23917EAEA32A3DE4D5E4
SHA-512:	A5E65F1145AF4FDF8E0BD57602918F31EF80E2E9061BEDA08DEDB9E3CDDDF7A8C704FA968B9BF809AD53AD60B14796DB7590C71D5FEC12ED54BC3B5F1F939287
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 15%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..`..............P.............f.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...l.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................H.......H........T..p...........<X...............................................0............(!...(".........(.....o#.........................($......(%......(&......('......((....N..(....o....()....&..(.....s+........s,........s-........s.........s/............0...........~....o0....+...0...........~....o1....+...0...........~....o2....+...0...........~....o3....+...0...........~....o4....+..&..(5.......0..<........~.....(6.....,!r...p.....(7...o8...s9............~.....

C:\Users\user\AppData\Roaming\sXNiyYIFndkxd.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.860191369488232
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
File size:	979968
MD5:	d482d04bd4113f1f9f08e39bca4a3f27
SHA1:	783f25f265c34681ffca9e5c8ac5bebecc71bbc6
SHA256:	9973c00cf203198a16d3d897fa85d46896f04ea9d58b23917eaea32a3de4d5e4
SHA512:	a5e65f1145af4fdf8e0bd57602918f31ef80e2e9061beda08dedb9e3cdddf7a8c704fa968b9bf809ad53ad60b14796db7590c71d5fec12ed54bc3b5f1f939287
SSDEEP:	12288:zMRIOXqxYM9iIfFKfffFZgK5tRevE7I/JUKg1PEGdvGM62zn1XuyvqwcgabMNLYE:YtDtRPI/Ff152z8iq9gVnNeBUdt
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..`..............P.............f.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4f0766
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60C1CE5C [Thu Jun 10 08:33:32 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf0714	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf2000	0x680	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf05dc	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xee76c	0xee800	False	0.881842079403	data	7.86709142883	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xf2000	0x680	0x800	False	0.34423828125	data	3.58292180879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xf2090	0x3f0	SysEx File - OctavePlateau
RT_MANIFEST	0xf2490	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Sutton Grammar School 2015
Assembly Version	1.0.0.0
InternalName	RegistryValueOptions.exe
FileVersion	1.0.0.0
CompanyName	Sutton Grammar School
LegalTrademarks
Comments
ProductName	Aspiring Rookie - Basketball
ProductVersion	1.0.0.0
FileDescription	Aspiring Rookie - Basketball
OriginalFilename	RegistryValueOptions.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 17:33:10.479696035 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:10.650477886 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:10.650916100 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:10.976522923 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:10.976864100 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:11.146600008 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:11.146632910 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:11.146975994 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:11.316747904 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:11.377764940 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:11.390568972 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:11.560448885 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:11.560492039 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:11.560516119 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:11.560534000 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:11.560560942 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:11.560617924 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:11.612189054 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:11.730477095 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:11.737428904 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:11.911520004 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:11.955981016 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:12.303128004 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:12.473335028 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:12.475898981 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:12.648720980 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:12.649444103 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:12.821443081 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:12.822817087 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:12.993475914 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:12.994048119 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:13.173991919 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:13.174715996 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:13.345331907 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:13.346647978 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:13.346919060 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:13.347495079 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:13.347585917 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:13.518923044 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:13.519177914 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:13.618015051 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:13.659260988 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:15.134013891 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:15.304059982 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:15.304088116 CEST	587	49756	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:15.304160118 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:15.515398979 CEST	49756	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:16.027684927 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:16.197911978 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:16.198132038 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:16.371243954 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:16.371661901 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:16.541378021 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:16.541405916 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:16.541645050 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:16.711458921 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:16.711849928 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:16.883419991 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:16.883455038 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:16.883476973 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:16.883491039 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:16.883512020 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:16.883584023 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:16.883625031 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:17.056153059 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:17.057250977 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:17.231990099 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:17.232983112 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:17.402968884 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:17.403321981 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:17.574265957 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:17.574795008 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:17.746846914 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:17.747157097 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:17.918132067 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:17.920967102 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:18.099750042 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:18.103147030 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:18.273401022 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:18.275242090 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:18.275263071 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:18.275304079 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:18.275405884 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:18.275486946 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:18.275499105 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:18.275679111 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:18.275696993 CEST	49757	587	192.168.2.6	208.91.199.223
Jun 10, 2021 17:33:18.446731091 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:18.446763039 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:18.446875095 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:18.550154924 CEST	587	49757	208.91.199.223	192.168.2.6
Jun 10, 2021 17:33:18.600295067 CEST	49757	587	192.168.2.6	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 17:31:02.454706907 CEST	49448	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:02.507204056 CEST	53	49448	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:03.388907909 CEST	60342	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:03.439327002 CEST	53	60342	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:03.515969038 CEST	61346	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:03.575881958 CEST	53	61346	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:04.163563013 CEST	51774	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:04.213637114 CEST	53	51774	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:05.071180105 CEST	56023	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:05.121479034 CEST	53	56023	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:05.872792006 CEST	58384	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:05.923058987 CEST	53	58384	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:06.869925976 CEST	60261	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:06.920420885 CEST	53	60261	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:07.955598116 CEST	56061	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:08.008680105 CEST	53	56061	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:09.124854088 CEST	58336	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:09.183629990 CEST	53	58336	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:09.926561117 CEST	53781	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:09.977077961 CEST	53	53781	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:10.834800005 CEST	54064	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:10.885247946 CEST	53	54064	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:12.394650936 CEST	52811	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:12.446430922 CEST	53	52811	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:13.730518103 CEST	55299	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:13.783741951 CEST	53	55299	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:14.656606913 CEST	63745	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:14.708142042 CEST	53	63745	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:15.470185041 CEST	50055	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:15.523374081 CEST	53	50055	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:16.412583113 CEST	61374	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:16.467366934 CEST	53	61374	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:17.370920897 CEST	50339	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:17.423866987 CEST	53	50339	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:18.502713919 CEST	63307	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:18.557754993 CEST	53	63307	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:19.511921883 CEST	49694	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:19.570600986 CEST	53	49694	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:38.596976042 CEST	54982	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:38.672111988 CEST	53	54982	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:57.697578907 CEST	50010	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:57.758120060 CEST	53	50010	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:59.005544901 CEST	63718	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:59.065460920 CEST	53	63718	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:59.138434887 CEST	62116	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:59.200548887 CEST	53	62116	8.8.8.8	192.168.2.6
Jun 10, 2021 17:31:59.669686079 CEST	63816	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:31:59.728132010 CEST	53	63816	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:00.213629961 CEST	55014	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:00.272160053 CEST	53	55014	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:01.232726097 CEST	62208	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:01.292577982 CEST	53	62208	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:02.512305975 CEST	57574	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:02.562861919 CEST	53	57574	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:03.533533096 CEST	51818	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:03.586412907 CEST	53	51818	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:04.535249949 CEST	56628	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:04.575356960 CEST	60778	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:04.599773884 CEST	53	56628	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:04.637058020 CEST	53	60778	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:05.478972912 CEST	53799	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:05.529314995 CEST	53	53799	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:07.022960901 CEST	54683	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:07.084357977 CEST	53	54683	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:08.825927973 CEST	59329	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:08.880645990 CEST	53	59329	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:10.282305956 CEST	64021	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:10.336668968 CEST	53	64021	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:36.095303059 CEST	56129	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:36.156645060 CEST	53	56129	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:36.544816971 CEST	58177	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:36.603729963 CEST	53	58177	8.8.8.8	192.168.2.6
Jun 10, 2021 17:32:40.335472107 CEST	50700	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:32:40.400543928 CEST	53	50700	8.8.8.8	192.168.2.6
Jun 10, 2021 17:33:00.480405092 CEST	54069	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:33:00.542309046 CEST	53	54069	8.8.8.8	192.168.2.6
Jun 10, 2021 17:33:10.290950060 CEST	61178	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:33:10.355426073 CEST	53	61178	8.8.8.8	192.168.2.6
Jun 10, 2021 17:33:15.963887930 CEST	57017	53	192.168.2.6	8.8.8.8
Jun 10, 2021 17:33:16.025271893 CEST	53	57017	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 17:33:10.290950060 CEST	192.168.2.6	8.8.8.8	0xb231	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)
Jun 10, 2021 17:33:15.963887930 CEST	192.168.2.6	8.8.8.8	0x3f46	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 10, 2021 17:33:10.355426073 CEST	8.8.8.8	192.168.2.6	0xb231	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Jun 10, 2021 17:33:10.355426073 CEST	8.8.8.8	192.168.2.6	0xb231	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Jun 10, 2021 17:33:10.355426073 CEST	8.8.8.8	192.168.2.6	0xb231	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Jun 10, 2021 17:33:10.355426073 CEST	8.8.8.8	192.168.2.6	0xb231	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Jun 10, 2021 17:33:16.025271893 CEST	8.8.8.8	192.168.2.6	0x3f46	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Jun 10, 2021 17:33:16.025271893 CEST	8.8.8.8	192.168.2.6	0x3f46	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Jun 10, 2021 17:33:16.025271893 CEST	8.8.8.8	192.168.2.6	0x3f46	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Jun 10, 2021 17:33:16.025271893 CEST	8.8.8.8	192.168.2.6	0x3f46	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jun 10, 2021 17:33:10.976522923 CEST	587	49756	208.91.199.223	192.168.2.6	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jun 10, 2021 17:33:10.976864100 CEST	49756	587	192.168.2.6	208.91.199.223	EHLO 651689
Jun 10, 2021 17:33:11.146632910 CEST	587	49756	208.91.199.223	192.168.2.6	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Jun 10, 2021 17:33:11.146975994 CEST	49756	587	192.168.2.6	208.91.199.223	STARTTLS
Jun 10, 2021 17:33:11.316747904 CEST	587	49756	208.91.199.223	192.168.2.6	220 2.0.0 Ready to start TLS
Jun 10, 2021 17:33:16.371243954 CEST	587	49757	208.91.199.223	192.168.2.6	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jun 10, 2021 17:33:16.371661901 CEST	49757	587	192.168.2.6	208.91.199.223	EHLO 651689
Jun 10, 2021 17:33:16.541405916 CEST	587	49757	208.91.199.223	192.168.2.6	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Jun 10, 2021 17:33:16.541645050 CEST	49757	587	192.168.2.6	208.91.199.223	STARTTLS
Jun 10, 2021 17:33:16.711458921 CEST	587	49757	208.91.199.223	192.168.2.6	220 2.0.0 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556 Parent PID: 6088

General

Start time:	17:31:09
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SAUDI ARAMCO Tender Documents - BOQ and ITB.exe'
Imagebase:	0xde0000
File size:	979968 bytes
MD5 hash:	D482D04BD4113F1F9F08E39BCA4A3F27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.370688660.00000000041A9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.369670905.00000000031E1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6824 Parent PID: 6556

General

Start time:	17:31:22
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sXNiyYIFndkxd' /XML 'C:\Users\user\AppData\Local\Temp\tmp2894.tmp'
Imagebase:	0xb90000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6836 Parent PID: 6824

General

Start time:	17:31:25
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6904 Parent PID: 6556

General

Start time:	17:31:27
Start date:	10/06/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xa10000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.367493021.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.600007572.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.602052323.0000000002CC1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SAUDI ARAMCO Tender Documents - BOQ and ITB.exe PID: 6556 Parent PID: 6088 SAUDI ARAMCO Tender Documents - BOQ and ITB.exeCOMMON

Executed Functions

Function 0925CEF8, Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

rr, xrefs: 0925D2BD

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID: rr
API String ID: 0-3467296675
Opcode ID: 8b8a4f84561e88668647af173db9ae8d266d01eaec1f98c0879cbb88005c9d06
Instruction ID: 194ae3a7edf7765571cd891bc5f93987054bc6153bd156a29d136da73ba07118
Opcode Fuzzy Hash: 8b8a4f84561e88668647af173db9ae8d266d01eaec1f98c0879cbb88005c9d06
Instruction Fuzzy Hash: D7D14974D2420ADFCB04DF95C4859AEFBB2FF88340B14D56AD816AB254D734E982CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0E809420, Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

mn&, xrefs: 0E809549

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID:
String ID: mn&
API String ID: 0-2844665948
Opcode ID: 63dd93be7ef660c9ad61bafe1dffb173d9e2699fff32d531a2537cbf09eeb5ef
Instruction ID: a4e599630b2d7bc2e4d9e25084a168eb7d614c79c61ae8fba9afdf8a26be5122
Opcode Fuzzy Hash: 63dd93be7ef660c9ad61bafe1dffb173d9e2699fff32d531a2537cbf09eeb5ef
Instruction Fuzzy Hash: 3E811074E01249AFCB44DFE5D8845AEBBB6FF89310F21852AE816AB394DB349901CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0E808D80, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36ba8b113aed5b55a49a00daa7f9ad0f8554295ac98ccb803e4b66d79c55cb2
Instruction ID: 5752660e75669814c6dec5a06c30b904e55d8970d7163101a716230ce0584a11
Opcode Fuzzy Hash: c36ba8b113aed5b55a49a00daa7f9ad0f8554295ac98ccb803e4b66d79c55cb2
Instruction Fuzzy Hash: 8AC1F870E06318AFDB48CFA5D944A9EFBB2FB89300F209629D809FB294D7759D418F14

Uniqueness

Uniqueness Score: -1.00%

Function 0E80CC78, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b82d31a7390f132f300150080a466969c0e0133cc60f9d1dd7e58d5b4871a2f
Instruction ID: bfbf290ad555aa6251d4c8b9cf0b1453f5ad1010a6d01b78b1f18bede9331155
Opcode Fuzzy Hash: 1b82d31a7390f132f300150080a466969c0e0133cc60f9d1dd7e58d5b4871a2f
Instruction Fuzzy Hash: FFD1C234A006048FCB58DF69C998BA9B7F1BF4D314F2585A8E509EB3A1DB31AD45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 09257A60, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ffe6ed59defd4bc1b5006db658effb40be43943e72ced24a9ed7e4a3524f0c
Instruction ID: 27bef553a6126460002c43230c5094457c8827494456490ea7b5507ae8f7fa06
Opcode Fuzzy Hash: 18ffe6ed59defd4bc1b5006db658effb40be43943e72ced24a9ed7e4a3524f0c
Instruction Fuzzy Hash: E6A12570E20219CBDF14DFA9C944BEEBBB6BF89304F14D469D809B7240EB7459868F50

Uniqueness

Uniqueness Score: -1.00%

Function 09257A51, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488236df46135fec2290f045f3fe0273d6d764a4d422a8a95cf7881228b9fc08
Instruction ID: fc09023a97998d404b03932ce40c0e4182c6976c62b06a5f7c1b0e14816aaac4
Opcode Fuzzy Hash: 488236df46135fec2290f045f3fe0273d6d764a4d422a8a95cf7881228b9fc08
Instruction Fuzzy Hash: B5813870E20219CFDB14DFB9C944BEEBBB6BF89304F14D4A9D809A7241EB345A858F10

Uniqueness

Uniqueness Score: -1.00%

Function 0925ACD0, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692fec0911917a5a939f002c823c06110b78346b6b09d7f1547753586b64c2c0
Instruction ID: f31f3dc5257a666c4bceea6b9aa308209da028f58073876ef20669212451ff0f
Opcode Fuzzy Hash: 692fec0911917a5a939f002c823c06110b78346b6b09d7f1547753586b64c2c0
Instruction Fuzzy Hash: 4581C274E112098FCB08DFEAD98569EFBB2AF89300F10912AD81ABB364D7759845CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0E808650, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483e6e07076befb67bf260a88555e3b07341484565b529594a5c4bfb149e831b
Instruction ID: 458f917ac01cfa1ce4aad7d673c5094cd264863093a110bb79339e038405dcec
Opcode Fuzzy Hash: 483e6e07076befb67bf260a88555e3b07341484565b529594a5c4bfb149e831b
Instruction Fuzzy Hash: B4514970E16218DBCB88CFA5D9445DEFBF6FB8D311F14A52AD006F7294D73498418B29

Uniqueness

Uniqueness Score: -1.00%

Function 0925B578, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67491c7d4427b5fda235d30a2e2c8db4707a49a7603ed146f2aefc5b9b458d5c
Instruction ID: f63e2656aec153686a2eef654f08825a52f9afbd5a57865f86347db1be2586a2
Opcode Fuzzy Hash: 67491c7d4427b5fda235d30a2e2c8db4707a49a7603ed146f2aefc5b9b458d5c
Instruction Fuzzy Hash: F4511874E206198FDB08CFAAC5456AEFBF2FF88301F14D52AD80AA7264D7748941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0E80DB38, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b340ee385485af33ec9eb475cedd5fea1225db488b46d9e7ab59be4cd6a8a592
Instruction ID: ee21bfcf3a6d5babb5984540cf795a5be26a81e400075bd2346a0815364d9622
Opcode Fuzzy Hash: b340ee385485af33ec9eb475cedd5fea1225db488b46d9e7ab59be4cd6a8a592
Instruction Fuzzy Hash: FE311174D06218DFDB449FE5D868BEDBAF0AB4A305F10542AE005B32C0DBB84D81CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0925BFF8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b04c6466ac0fb891a1f7f272692b74dc38586c0ec84657548b0b5c917db3ba
Instruction ID: 1433d5c2435c734f8d2c06c30d32861b4da5ade0e5621527ed718aa7e1440e2d
Opcode Fuzzy Hash: 34b04c6466ac0fb891a1f7f272692b74dc38586c0ec84657548b0b5c917db3ba
Instruction Fuzzy Hash: 59210771E106188BEB18CF9AD9443DEFBF7AFC8310F14C02AD809A6258DB740945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03136B88, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 03136BF8
GetCurrentThread.KERNEL32 ref: 03136C35
GetCurrentProcess.KERNEL32 ref: 03136C72
GetCurrentThreadId.KERNEL32 ref: 03136CCB

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7492a62d3470c918b7b122607bef380d957cd030f910ee111e4e5dca8081ccb4
Instruction ID: a91326076f2fcdcd020f80fdf9321c5f11f4c8b25c27c614448a8c0902a43b35
Opcode Fuzzy Hash: 7492a62d3470c918b7b122607bef380d957cd030f910ee111e4e5dca8081ccb4
Instruction Fuzzy Hash: 835145B49002499FDB14DFAADA88B9EBBF0EF4D314F248459E419B7250DB34A884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 03136B98, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 03136BF8
GetCurrentThread.KERNEL32 ref: 03136C35
GetCurrentProcess.KERNEL32 ref: 03136C72
GetCurrentThreadId.KERNEL32 ref: 03136CCB

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4df2d1f3313fe4141a15d7182c01bbe1309e7fd5118782f0490431d217d138c3
Instruction ID: 92f647fd58657c127cfaed2b67c5214839165e7677aa7c2b0c77c4a59d8279ed
Opcode Fuzzy Hash: 4df2d1f3313fe4141a15d7182c01bbe1309e7fd5118782f0490431d217d138c3
Instruction Fuzzy Hash: DB5155B09002499FDB14DFAADA88B9EBBF0EF4D314F248059E019B7350DB34A884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0E8071A8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0E8073DE

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 42682afb74694d67fec2c80baf0aa75747e635b1b9945bd76a81b83050004e4b
Instruction ID: e8f2c5156d5e26680079e9d334d8949630746567dd671876ac1b6bdeef81adb5
Opcode Fuzzy Hash: 42682afb74694d67fec2c80baf0aa75747e635b1b9945bd76a81b83050004e4b
Instruction Fuzzy Hash: 3E917E71D006598FEB60DF68CC817DEBBB2BF48314F14856AE809E7280DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0313BBB8, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0313BE0E

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e65b647093bbb32097152c88d38374403e1030bdd6d494648b5d0396cafc9e93
Instruction ID: 070b3b8697ae5a2b3a3a7bf220869698459ba15d34dfc09a5b2e820f19f0f7d3
Opcode Fuzzy Hash: e65b647093bbb32097152c88d38374403e1030bdd6d494648b5d0396cafc9e93
Instruction Fuzzy Hash: E1714670A04B058FDB24DF2AD44179AB7F1FF89214F048A2DD49ADBB40EB35E8498F91

Uniqueness

Uniqueness Score: -1.00%

Function 0313DC6D, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0313DD8A

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 54f32dd94171207c627fc615ba97ecee1e41091e27009251d41fa880a1b5db41
Instruction ID: a266495ab8cc4223bd9b27bb181ce43a04e2ebb0834ae58f85a1148e5c36e1de
Opcode Fuzzy Hash: 54f32dd94171207c627fc615ba97ecee1e41091e27009251d41fa880a1b5db41
Instruction Fuzzy Hash: 3151B0B1D00309DFDB14DF99D884ADEBBB5BF48314F24812AE819AB250D774A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0313DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0313DD8A

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b2b9dac9d1a63c20a6fb17c1c0f8ec56b94cf81442862bff5544ecc5668058fb
Instruction ID: f775e548c98ee198ee53ef308b46db0b54eb91e23b562f709f7a712ad840a0e7
Opcode Fuzzy Hash: b2b9dac9d1a63c20a6fb17c1c0f8ec56b94cf81442862bff5544ecc5668058fb
Instruction Fuzzy Hash: 8941CEB1D00309DFDB14CF99D884ADEFBB6BF88314F24812AE819AB250D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03136D49, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03136E47

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8def92b9d78110212031dc7e0b57bff5da02c75edddbfea4d7b323c4b3a507b6
Instruction ID: 7e86b8e4ea70d12d0a5cfbdbdbc7e3853aa50d3df5e8c51f3f2824064b97ba69
Opcode Fuzzy Hash: 8def92b9d78110212031dc7e0b57bff5da02c75edddbfea4d7b323c4b3a507b6
Instruction Fuzzy Hash: A3414776900208AFCB01DFA9D884AEEBFF9EB4D314F18805AF914A7310C735A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0E806F20, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0E806FB0

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 47d1a874e45b4315a1785cdcb855bdf263cb4228b1fa473a1b0f275ad4dc9ad7
Instruction ID: b281b12c4eef46bf9e78c18c9ac60406958695dd9a0724c2caadcafaea741f85
Opcode Fuzzy Hash: 47d1a874e45b4315a1785cdcb855bdf263cb4228b1fa473a1b0f275ad4dc9ad7
Instruction Fuzzy Hash: D82126719003499FCB10DFA9C884BDEBBF5FF48324F10842AE919A7240DB789954DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03136DB8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03136E47

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 50d56d5b9f3bce84566676a2f348d8fc0f0eda8e650d593cf7a38b96e9699f35
Instruction ID: 89f633839cae97403c2e691c2e6cc4b28f874e985af8f7623545e41a8a761def
Opcode Fuzzy Hash: 50d56d5b9f3bce84566676a2f348d8fc0f0eda8e650d593cf7a38b96e9699f35
Instruction Fuzzy Hash: 0621E3B5901208AFDB10DFAAD984ADEBBF8EF48324F14841AE914B3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E806D88, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0E806E06

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d58e182f426317c109bf1c2307c9d11faf6fa78e56c5a7e974e8b3eaf71d8da0
Instruction ID: 6c6ac27cdec9142af32b0598a6e8d35e63a14ab5cd4415401db3a34030a3a3e1
Opcode Fuzzy Hash: d58e182f426317c109bf1c2307c9d11faf6fa78e56c5a7e974e8b3eaf71d8da0
Instruction Fuzzy Hash: 16211871D003098FDB50DFAAC8847EEBBF5AF48224F54842DE519A7640DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E807010, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0E807090

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b0119e5a02ae1b394df03d785a876af55092dc59d1a3ac2ca2ef3d500c7a2482
Instruction ID: 43b7ae621e8706de2c7e060ce0d0870b06399ca4dba8d4005d737f4fe541869a
Opcode Fuzzy Hash: b0119e5a02ae1b394df03d785a876af55092dc59d1a3ac2ca2ef3d500c7a2482
Instruction Fuzzy Hash: 6C2128718003499FCB10DFAAC884BDEBBF5FF48314F50842AE519A7240DB79A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03136DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03136E47

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c64795abb2466866d52385880cee24ab0691d91a1d2355400e585acd49076c8d
Instruction ID: fb6f64548ee8d9432560c71ec99068256643df78e6f0685765efdc74e2f96af6
Opcode Fuzzy Hash: c64795abb2466866d52385880cee24ab0691d91a1d2355400e585acd49076c8d
Instruction Fuzzy Hash: FD21C2B5901208AFDB10CFAAD984ADEBBF9EB48324F14841AE915B3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E802838, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0E8028AB

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 559e284a52dd67141805e93510863a17fae82790961bcfb69d62acea998e7ce5
Instruction ID: abf7b117d4b3a88efe6aa3b2ad65dd8e7f8c5b5a76293108addb9fc3882d9f8c
Opcode Fuzzy Hash: 559e284a52dd67141805e93510863a17fae82790961bcfb69d62acea998e7ce5
Instruction Fuzzy Hash: 7E2117759002099FDB10DF9AC884BDEFBF4FB48324F108429E958A7250D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0313B0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0313BE89,00000800,00000000,00000000), ref: 0313C09A

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bf202b0841a2a3249871f614f8f88bb9b8736e3af0f2e3a4b1b7fab13ad335a2
Instruction ID: 3d3284cc42a6bd81d56ef6f9af2da7e5d1cb9fe939cda6d3497fc341d208ce34
Opcode Fuzzy Hash: bf202b0841a2a3249871f614f8f88bb9b8736e3af0f2e3a4b1b7fab13ad335a2
Instruction Fuzzy Hash: C21114B6900248CFCB20DF9AC444BDEFBF4EB49324F14842AE915B7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0313C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0313BE89,00000800,00000000,00000000), ref: 0313C09A

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bcbf14e1dccfe8baecd12d1b4cb3c8e5fd6d00756006917b97b25a223c33f750
Instruction ID: 83b013ea3e7b6bb1faceda7ac856c1daab9848f6a6279603010c9bb7937123e5
Opcode Fuzzy Hash: bcbf14e1dccfe8baecd12d1b4cb3c8e5fd6d00756006917b97b25a223c33f750
Instruction Fuzzy Hash: 5E1117B6C002498FDB20DFAAD484BDEFBF4EB89314F14851AE415B7200C775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E806E60, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0E806ECE

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 297fa7ed1a2fea12c2ba99760ad55d5cbc34ca76b1d8ccf6bbc24a45e5188b84
Instruction ID: c0708561cbce963fa48172356db992959eff13fcc5f1a90f2eed08b43e680cd3
Opcode Fuzzy Hash: 297fa7ed1a2fea12c2ba99760ad55d5cbc34ca76b1d8ccf6bbc24a45e5188b84
Instruction Fuzzy Hash: 371137719003489FCF10DFAAC844BDFBBF5AF48324F248419E515A7250CB75A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E8066B8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0E80671A

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c9b5866604da1835e85c518f84d2a32ce99fc7c70c1e681aad3f5a313269d811
Instruction ID: 8fea3ae2e6245aa376f38954308c926a12171013abb519b71942b1dbddff628d
Opcode Fuzzy Hash: c9b5866604da1835e85c518f84d2a32ce99fc7c70c1e681aad3f5a313269d811
Instruction Fuzzy Hash: A9113A719003488FCB20DFAAC8447DEFBF5AF88228F248419D515A7740DB78A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0313BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0313BE0E

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c9f1a1df94bf12bcd9f4dec7f624fbcb632a6569c55a6045213808500f913357
Instruction ID: e78be8e919ab57f5bc8165f97e262d1cb00a34d247e90e1aec2420d8ec4ed419
Opcode Fuzzy Hash: c9f1a1df94bf12bcd9f4dec7f624fbcb632a6569c55a6045213808500f913357
Instruction Fuzzy Hash: 261110B6C002498FCB20DF9AC844BDEFBF4EF88224F14842AD829A7200D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0313DEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0313DF1D

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6ea9aa176d8486bdffb019b55a8db8e104f903317aef1f78091a7d0068b9abba
Instruction ID: 1bcea7aefb761a7f0ab38b2eb025da5c1c995dff6fd1d0dcce694857d26431cd
Opcode Fuzzy Hash: 6ea9aa176d8486bdffb019b55a8db8e104f903317aef1f78091a7d0068b9abba
Instruction Fuzzy Hash: F81103B58002099FDB20DF99D888BDEBBF8EB49324F24845AE915B7300C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E80C3C8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0E80C425

Memory Dump Source

Source File: 00000001.00000002.377352219.000000000E800000.00000040.00000001.sdmp, Offset: 0E800000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d1d4ee709447a8054f7f735c3364b7253b47024c79f59c0a70c69f60f160ec8f
Instruction ID: adac129cadd5a726d5edd79eb452ebab71b07fcd69e098b0ff380b9813b837be
Opcode Fuzzy Hash: d1d4ee709447a8054f7f735c3364b7253b47024c79f59c0a70c69f60f160ec8f
Instruction Fuzzy Hash: C91100B58003489FDB20DF9AC889BDEFBF8FB48324F10841AE515A3240C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0313DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0313DF1D

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 68362384ff1194218887e7aaff3dfca098ec68f7156eae2a6c639fb314807415
Instruction ID: 0d675f68b6378b622a90df7bb67d2d1cd26e8a1d1807d22e632b39b73e262174
Opcode Fuzzy Hash: 68362384ff1194218887e7aaff3dfca098ec68f7156eae2a6c639fb314807415
Instruction Fuzzy Hash: DC1115B58002088FDB20DF99D488BDEFBF8EB48324F14841AE915A3300C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09258377, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026e61cf219b4f74b0aef3c94a94d4bd42a7edf887fb1053fdfe100cf6ce089f
Instruction ID: b7f4eba953f3e17c35d56d01b8222e359457eaf18b09490a786095bd95bcbcd5
Opcode Fuzzy Hash: 026e61cf219b4f74b0aef3c94a94d4bd42a7edf887fb1053fdfe100cf6ce089f
Instruction Fuzzy Hash: EC712374E14249CFCB00DFE8C5886EEBBB2BF49314F249529D80AAB345D7B49885CF60

Uniqueness

Uniqueness Score: -1.00%

Function 092570F0, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d689f6901e32aa2028f0363bf654e519d9fc9e34b77ad5681fd05811b5b9ea
Instruction ID: 5f85b7fea976138cf235b13bd1d8e376924962cb43cc30091efcb04fe7b4fcb5
Opcode Fuzzy Hash: e6d689f6901e32aa2028f0363bf654e519d9fc9e34b77ad5681fd05811b5b9ea
Instruction Fuzzy Hash: 0F613A35A10609DFCB14DFA8C854A9DBBB5FF88310F118169E80AAB360DB71ED85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 092570E1, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436d140637e4bfff5499deab069c1220d98b125987eed4010f06569cd52a3b9b
Instruction ID: 256637f9499b31ecde2c57d95de92b18dafcd00c757e063831c5ab9d94c63930
Opcode Fuzzy Hash: 436d140637e4bfff5499deab069c1220d98b125987eed4010f06569cd52a3b9b
Instruction Fuzzy Hash: 8B612935A10619DFCB14DFA8C954A9DBBB5FF88310F118169E80AAB364DB71ED85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 09256928, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defb5b9d4781ec2d3212b4c2b760381f44ee771f878832199bd5b523c777ba63
Instruction ID: 02038cba0ffbc0764d812cb6876f99376ae12fde39e42bc03e395f813f1e4475
Opcode Fuzzy Hash: defb5b9d4781ec2d3212b4c2b760381f44ee771f878832199bd5b523c777ba63
Instruction Fuzzy Hash: 92419031B102068FCB14EB79D8489AFBBF6EFC42657158569E919DB350EF30DC058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 09255EC8, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaf314d06777539c241983ae9c77ce02f094289b1fddf4e48d746d3693d4871
Instruction ID: ed7c0c55c05039bb4616e120d71271de6ce9eb8223255044e7eac910db523067
Opcode Fuzzy Hash: adaf314d06777539c241983ae9c77ce02f094289b1fddf4e48d746d3693d4871
Instruction Fuzzy Hash: F0515A70D263098BCB04CFA9D8456AEBBF6BF89304F548069E80AA7254EB749905CF50

Uniqueness

Uniqueness Score: -1.00%

Function 09255ED8, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1209de15580970b5a325fa4957c7ca2d0189b71a61823b76113280b9f442a0d2
Instruction ID: 037a7f44e0fab0411fd8f44fd93008aed37457996c1846f3152fda4365d46de4
Opcode Fuzzy Hash: 1209de15580970b5a325fa4957c7ca2d0189b71a61823b76113280b9f442a0d2
Instruction Fuzzy Hash: 8B511474E21209CBCB04DFE9D4856EEBBF2BF89300F508429E80AAB344DB759946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0925677C, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd86fed1701b27bbd5fa6764e938d925f29abc57e95eeaa71c4eb1b9d3545a4
Instruction ID: 2b79aaade601f1e52ffa2fa001f1a88d0ed0af0582bf31aef10e94bfc7364157
Opcode Fuzzy Hash: 6dd86fed1701b27bbd5fa6764e938d925f29abc57e95eeaa71c4eb1b9d3545a4
Instruction Fuzzy Hash: 27412871D1070A9FCB10EFA9C8446EEFBF4EF89310F10C51AE959B3200E774A9858BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0925B790, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59f10730d7b33312f19f9610ad87067be7c7e74c37c513b6ac61fb27e475870
Instruction ID: 61ce43235b9ce5f850d69ce59e4f22df881698d256f73cb1348c77c7d7690888
Opcode Fuzzy Hash: b59f10730d7b33312f19f9610ad87067be7c7e74c37c513b6ac61fb27e475870
Instruction Fuzzy Hash: FD31C3B4E15209DFCB44CFAAC580AAEBBF2FF88300F50956AD819A7754D7749A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0179D3EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369267239.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fdccf89de87aac06180e4babc08a5109a739b18cbe7c33c378d82101fa96cd
Instruction ID: f6d20a74750b0d6ff53e81f887c71734e8a92ed27c53e3dddc0df402fad76c54
Opcode Fuzzy Hash: 90fdccf89de87aac06180e4babc08a5109a739b18cbe7c33c378d82101fa96cd
Instruction Fuzzy Hash: 4E2108B1504200EFDF15DF54E9C0B66FB65FB84324F24C5A9ED054B256C336E44AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0179D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369267239.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e687878e36f7edb3989c620880dc30c9a26c63dda177c33ee1f05c80fcf43a6
Instruction ID: 62b48fe8ba5d86c756450679c46acabc35779c5465b51ea816bf9d3c9f44ac9a
Opcode Fuzzy Hash: 2e687878e36f7edb3989c620880dc30c9a26c63dda177c33ee1f05c80fcf43a6
Instruction Fuzzy Hash: A421F8B1504240DFDF25DF94E9C0B26FB65FB88328F3485A9E9054B256C336D85AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 017AD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369288933.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088322116017ea09e1e1555ac88bdc6ec384a1d32b12afe0ba7e12e0cef6e364
Instruction ID: 5fdd55a9ea5827510686d9a9c6f27719d1b52a658aef87b97e931e6be46c8127
Opcode Fuzzy Hash: 088322116017ea09e1e1555ac88bdc6ec384a1d32b12afe0ba7e12e0cef6e364
Instruction Fuzzy Hash: FD2133B1544200EFCB20DF64D9C0B13FB61EB88254F60C6A9E8094B646C336D807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 017AD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369288933.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a5ba63adb3fd82cdaeff8c07951b2a17b413659e820013b6797c5770230a40
Instruction ID: 2c3f3d69cdff4553ece5af7957c83529b45d82eedeedb238525fbc3c2e74deb9
Opcode Fuzzy Hash: 88a5ba63adb3fd82cdaeff8c07951b2a17b413659e820013b6797c5770230a40
Instruction Fuzzy Hash: 972107B1508200EFDB21DF94D9C0B26FB65FBC4328F64C6ADE9094B686C736D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 09256ACC, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fc53e391683aa8e20f09948c14344a085e7b787e98c508d366c0047e51f8da
Instruction ID: f949f4b5c980dc9481f7f33e1983d312b345c8465716e6cc384f2256bf4cd1f6
Opcode Fuzzy Hash: 69fc53e391683aa8e20f09948c14344a085e7b787e98c508d366c0047e51f8da
Instruction Fuzzy Hash: 6F31E0B0D116589FDB20DF99C589BCEBBF5AF08314F64805AE805BB280C7B55949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09256AD8, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b863826b853cd83a3b2f6e5dfd12891f19a85cb35e238dd406d58f180d6a3084
Instruction ID: 4ba499e6e01c5b478b36e7eb562e339ae154791f9fcd84ea9aced1e4b87bcc2e
Opcode Fuzzy Hash: b863826b853cd83a3b2f6e5dfd12891f19a85cb35e238dd406d58f180d6a3084
Instruction Fuzzy Hash: 4721FFB0D11658DFDB20DF99C988B8EBBF5AB08314F64801AE805BB240C7B55945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0925D5C0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab214157a1a9a356b83b3562636b810828d75d958f83ee711401f364d1cb9936
Instruction ID: e0046a8761de551f19d31ab1bd1f16ae2e8c033702e4781cac8da43cf8c9f2e8
Opcode Fuzzy Hash: ab214157a1a9a356b83b3562636b810828d75d958f83ee711401f364d1cb9936
Instruction Fuzzy Hash: F62107B4E15109EFCB04DFA9D684A9EBBF6EB88204F14D4A6D81AAB354D730DA01DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0925691B, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11caa73ceaf1e0bdb74af8ef05348592f5e53db29523983d2f95a29a2965f7b
Instruction ID: d6d97e68dfa7638a2ed635b529216331e1758bfb4f2319d988c4a80346c17d38
Opcode Fuzzy Hash: f11caa73ceaf1e0bdb74af8ef05348592f5e53db29523983d2f95a29a2965f7b
Instruction Fuzzy Hash: 4A11E5B5A002164BCF10EF79884567FB7FBFBC4260B548529E819D7340EF309D018791

Uniqueness

Uniqueness Score: -1.00%

Function 09256440, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1045d3be48ecfa3edc837c20bfa0197a3d88748c09207ac0a173511743711f04
Instruction ID: 31bae699eaf5289b0c536729ee758dec04db2f80e667511c64f49a49b5ffac80
Opcode Fuzzy Hash: 1045d3be48ecfa3edc837c20bfa0197a3d88748c09207ac0a173511743711f04
Instruction Fuzzy Hash: F3119A31B102498F8B24EBB889115EEB7B2AF88354B504139C909EB341EF318D0ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0179D3E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369267239.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ec13b725027092ed1aa9eddd4cc34221202fdb6ccf77713265fee64c56290e
Instruction ID: 78eb36f457bb61a667ff465a7784465393723b87865bdc6a99d2eb7485a64913
Opcode Fuzzy Hash: 51ec13b725027092ed1aa9eddd4cc34221202fdb6ccf77713265fee64c56290e
Instruction Fuzzy Hash: D6119D76404280DFCF16CF54D5C4B56BF62FB84324F24C6A9D8080A666C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0179D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369267239.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ec13b725027092ed1aa9eddd4cc34221202fdb6ccf77713265fee64c56290e
Instruction ID: b3babc40a3391651d583da2928fd6a008d9f9fb873405fe7df7cc4a7d1b848fc
Opcode Fuzzy Hash: 51ec13b725027092ed1aa9eddd4cc34221202fdb6ccf77713265fee64c56290e
Instruction Fuzzy Hash: 04119D76404280CFCF12CF54D5C4B16BF72FB84224F2486A9D8050B656C33AD55ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017AD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369288933.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e28340385b1710160ca1763a38498d136049f55007f6243fe0149fbfabe2558
Instruction ID: bc5b97d852a679cf514186123f2171b02ca9f32cd0ebf9e878e309bc1b8fef66
Opcode Fuzzy Hash: 8e28340385b1710160ca1763a38498d136049f55007f6243fe0149fbfabe2558
Instruction Fuzzy Hash: 4F118B75908280DFDB12CF54D5C4B15FBB1FB84224F28C6A9D8494BA96C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 017AD017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369288933.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e28340385b1710160ca1763a38498d136049f55007f6243fe0149fbfabe2558
Instruction ID: 87c50d1145edfc1c8be8c56bef99ccbc95f4dd5fb9cd15d39a7da046bd4d031c
Opcode Fuzzy Hash: 8e28340385b1710160ca1763a38498d136049f55007f6243fe0149fbfabe2558
Instruction Fuzzy Hash: 5511BE75544280CFCB12CF14D5C4B16FB71FB88314F24C6A9D8494BA56C33AD44BCB61

Uniqueness

Uniqueness Score: -1.00%

Function 0179D771, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369267239.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb4af4876c172011dab58e4c1af00cc39c838a380fb251417e572fc7294cb1a
Instruction ID: f46c845b14a60dc6ff3b2ac51bab9961381706dc9bbb0c93bff14e4c65d1ccfa
Opcode Fuzzy Hash: 8fb4af4876c172011dab58e4c1af00cc39c838a380fb251417e572fc7294cb1a
Instruction Fuzzy Hash: 4301F771009384AAEF309B69EC84B6AFB98EF40774F18C459ED055A243C3789848C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 09257330, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ff4d6a735494a50b673a9154ddbd2a758c9d89f1fb836df4f92886b25d7899
Instruction ID: 8d58514e84c5d3a1432a3b3b61387cf96394a9fef6f54fc231d20390a2357cf0
Opcode Fuzzy Hash: 44ff4d6a735494a50b673a9154ddbd2a758c9d89f1fb836df4f92886b25d7899
Instruction Fuzzy Hash: 4D111B72D10B0B9ACB01EFA9C8416EAFBB4FF99310B14DA1AD558B7500E770A6D58B90

Uniqueness

Uniqueness Score: -1.00%

Function 0925A058, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c1eca941aa826a2e469bf8ee353d3a8986fe729f5b9b6d77c383dbe598904e
Instruction ID: 7289d3c9e6cfcbc0044a344020092d952ae3e85dace6395c5828292573862b1f
Opcode Fuzzy Hash: 46c1eca941aa826a2e469bf8ee353d3a8986fe729f5b9b6d77c383dbe598904e
Instruction Fuzzy Hash: 02F0A434A32208DFC744DFB4E54929EBBB6EB89351F108565C80ED3204DB308A55DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0179D770, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369267239.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ecb800624e5f0d3d2cdf246e354189ee172f72ef8d3e9badea052731d3fc88
Instruction ID: c8898f075aa55bb66a65a6f6a9eadec86c100c7b1ca7fea5be8f66783988aec2
Opcode Fuzzy Hash: 75ecb800624e5f0d3d2cdf246e354189ee172f72ef8d3e9badea052731d3fc88
Instruction Fuzzy Hash: 1AF062714092849EEB218A1ADC84B66FF98EB41774F28C45AED095B286C3789848CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 09256F28, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035628af1aca271071af9ad890d4cd3b6b48f3f0019f8d47e816d32f38ecfc8c
Instruction ID: 9ca2f777bd71a76a030eb4ae306ac245665b3c3868545033b8e450ac89267668
Opcode Fuzzy Hash: 035628af1aca271071af9ad890d4cd3b6b48f3f0019f8d47e816d32f38ecfc8c
Instruction Fuzzy Hash: 67F082B6B041545FD714CA699884D6BBBE9EFCD224755807AE50CDB355D9308C0587A0

Uniqueness

Uniqueness Score: -1.00%

Function 09256F38, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbed7f5c5796702dd122db56ac71b4623b254e5699d8f9a5d52fabbe2b713ed
Instruction ID: 39ee72d9d121edbe202dc5f5cfe9f86f6be2ae1f7c93f4423535b2ca979bb6db
Opcode Fuzzy Hash: 3dbed7f5c5796702dd122db56ac71b4623b254e5699d8f9a5d52fabbe2b713ed
Instruction Fuzzy Hash: E2E039727041286F5314DA6AE888C6BBBEEEBCD664351817AF508CB310DA309C0486A0

Uniqueness

Uniqueness Score: -1.00%

Function 09259FF8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81d20d8f3f4eb46878cb130df0ad1350df7867566cd1a24dde7b302fab450dc
Instruction ID: b856b8638830d018641da968071ee29b4fd40c0e0e372c04b137d5b897c68c6e
Opcode Fuzzy Hash: e81d20d8f3f4eb46878cb130df0ad1350df7867566cd1a24dde7b302fab450dc
Instruction Fuzzy Hash: 62F03430C26308EFCB09CFE4D4016EDBBB0EB48301F0080AAD80996261D6348A81DF80

Uniqueness

Uniqueness Score: -1.00%

Function 09256F80, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1d6fd6afcdc0614e553595b6fbf9350285660fe4bc3e59345042cca7d28e27
Instruction ID: c26e988c8b3dd8be004e73fa746c2fb606d70739bf7be6052f988db4072900f3
Opcode Fuzzy Hash: 0a1d6fd6afcdc0614e553595b6fbf9350285660fe4bc3e59345042cca7d28e27
Instruction Fuzzy Hash: DCE0863A7405005FC7009E99D845F47BFBAEFDA721F058065F509CB761CE61DC038A94

Uniqueness

Uniqueness Score: -1.00%

Function 09258130, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584cdb899dd6548db2064526cc138e0375ad5f266a27b8ca865f9b66d8aadbc8
Instruction ID: bd5573420f56efd498bfcd54a4621ab29563413eb90b3c545b8b72e53d95adb6
Opcode Fuzzy Hash: 584cdb899dd6548db2064526cc138e0375ad5f266a27b8ca865f9b66d8aadbc8
Instruction Fuzzy Hash: 30E09A3092A348AFCB00EFE89881A9D7FF89B46205F1000AA8808E3342F6B44E04DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0925AAB1, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec66c2f9557130c10e6974a4b30b488d7929515b8cbb6971b02cf649600a0cdc
Instruction ID: fc7f9be6529e4b73b8cdbd987f2ced645ac9940510f3f928c6f3f2b38df436a1
Opcode Fuzzy Hash: ec66c2f9557130c10e6974a4b30b488d7929515b8cbb6971b02cf649600a0cdc
Instruction Fuzzy Hash: ACF0F8B0D19219CBEB60DBA8D840789BBB1BB55310F0096E6C42CBB284E7305E84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 09255E83, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49573a2bf0f1ebc7d6162b61300f07618cb6c9833e322c397bc7f483aaf5980d
Instruction ID: ac6044287fd3ebef1067afa68019a42eed878225d218736e862d88f7432a1945
Opcode Fuzzy Hash: 49573a2bf0f1ebc7d6162b61300f07618cb6c9833e322c397bc7f483aaf5980d
Instruction Fuzzy Hash: 42E04F79C2520CEFCB00DFF8E94AB9CBFB8AB44215F5440A9B80AA3341E7348A50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0925A008, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ace02fbf1d36f1b1f2312c2dbe2f2964adef234e370f8b20338e3c880620ba1
Instruction ID: 5daeaede08f9c88755659f12494da6d58969e5cb6a3cd9b642b620ee47f9d91c
Opcode Fuzzy Hash: 8ace02fbf1d36f1b1f2312c2dbe2f2964adef234e370f8b20338e3c880620ba1
Instruction Fuzzy Hash: 47E0E574D26308EFCB14DFA8D5416ADBBB8EB88304F1081A9D809A3310E7359A51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 09258B6B, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d599e1dc043cb0d95f43a05cf0ab0e97c9abc1a606bba521696d0d80c1b141
Instruction ID: 886bef5cbb255dc4c8ce080fb9c262b80507fef3476b8eb2bc1f511f898f1d43
Opcode Fuzzy Hash: 29d599e1dc043cb0d95f43a05cf0ab0e97c9abc1a606bba521696d0d80c1b141
Instruction Fuzzy Hash: F2E01A74921208EFCB80DFE8D585A9CBBF8EB48224F1440A9E809D3321D7719A40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 09258B70, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e427dc14ae1a9e65db4cf5bf94738512d6e096b7a753b13250b36ff04e9914c
Instruction ID: 5a123a3ade276bf9fb333fcd803e517c56a9f9f86c7bd50a8d080dce078c163a
Opcode Fuzzy Hash: 6e427dc14ae1a9e65db4cf5bf94738512d6e096b7a753b13250b36ff04e9914c
Instruction Fuzzy Hash: 2DE04F74921208DFCB40DFE8D545A9CBBF8EB08224F1040E9DC09D3321D7719A40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 09256F90, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8183e8182be0d936b817f2b9bf56d45cd754d680e422d952ddab4df7372151
Instruction ID: d0a7b6d3c02e0d8962568b57a99c5fc55a92716ccb5f776e8621334b12517690
Opcode Fuzzy Hash: ef8183e8182be0d936b817f2b9bf56d45cd754d680e422d952ddab4df7372151
Instruction Fuzzy Hash: 43D0123A3005149FC3149A4AD804D4ABBA9EFD9721B158066F609C7360CA71EC01CA94

Uniqueness

Uniqueness Score: -1.00%

Function 09255E90, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99eb33f93303796ae6ed4908767dec6d97633a237d10280043168068a6dece3
Instruction ID: 0cb7883233e086f2026a13edd9b356b012c6bb72dd3311a875fa5b63a5909e38
Opcode Fuzzy Hash: e99eb33f93303796ae6ed4908767dec6d97633a237d10280043168068a6dece3
Instruction Fuzzy Hash: 6BE0EC3892520CEFCB40EFF8E549A9CBFB8AB44205F1044A9B80AA3250EB319A51DB51

Uniqueness

Uniqueness Score: -1.00%

Function 09258140, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50cca23e332bbb8d8bbbacc7665f5b87e9f31337eee2f087ca7b56f105878fab
Instruction ID: d4ce1ab4c51a9735dc4a6624be63149d43c844d54020ae25470639a33df4c5b3
Opcode Fuzzy Hash: 50cca23e332bbb8d8bbbacc7665f5b87e9f31337eee2f087ca7b56f105878fab
Instruction Fuzzy Hash: 28E0E270926208AFCB40EFE895456ADBFF8AB49204F1044A99909A3351EBB09A54EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0925ABE6, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2f7ccdaae7a7c1172c4cd969f6a092d033b258f2bee88baf47eb0a0e8e599b
Instruction ID: 1e735213f290984259ef925dca9405f72b1dfbd5ece269c5904803d7960c8a5a
Opcode Fuzzy Hash: fc2f7ccdaae7a7c1172c4cd969f6a092d033b258f2bee88baf47eb0a0e8e599b
Instruction Fuzzy Hash: 7CE012709142599EDB50EBA5C841A88B7B1AB44200F00C99AD01EF7150D6308986CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0925AB6B, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a288378dac040c7838b2164cd18f2ce1b13d6097eb6a4a4c693db11ca8c1f1c
Instruction ID: 3e430db1d8c0da4dba213aad70e4d8ed0985a973902d4ea3fa98a7dfec958081
Opcode Fuzzy Hash: 4a288378dac040c7838b2164cd18f2ce1b13d6097eb6a4a4c693db11ca8c1f1c
Instruction Fuzzy Hash: 63E09A70914259DFDB94EFA5D840A8DB7B1AB44204F00C9AAD41DF6254DB305E86CF25

Uniqueness

Uniqueness Score: -1.00%

Function 09256408, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8605afbf50463791380cdb0f6955f7a2e79b8de88d775c343501869a5317c996
Instruction ID: becae85904c3da1a8170b31d84bd0fba7b0480b682bea9d112c975a30e6c42ac
Opcode Fuzzy Hash: 8605afbf50463791380cdb0f6955f7a2e79b8de88d775c343501869a5317c996
Instruction Fuzzy Hash: 73C0122E211004AEDA06BAA0CC1AF4A6A62EF64708FC4D0919844AA1B2D726E019DB82

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0925F428, Relevance: 2.6, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

LvzH, xrefs: 0925F4D7
Io9&, xrefs: 0925F53D

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID: Io9&$LvzH
API String ID: 0-1775580978
Opcode ID: 6193a5eb67e9d61b4f81e6bd66f6c05977556a507b80ac3fc896fb9851e6c5ed
Instruction ID: b5f50cd59b53a5eda2fa8a32275c7c2ba8ce0638ffd4519bd113f23c44b5df8e
Opcode Fuzzy Hash: 6193a5eb67e9d61b4f81e6bd66f6c05977556a507b80ac3fc896fb9851e6c5ed
Instruction Fuzzy Hash: 5541E7B0E15209DBCB04CFAAC6406EEFBF2BF88310F24D569C906B7254D7349A45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0925E900, Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

&%L, xrefs: 0925EAE1

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID: &%L
API String ID: 0-3437750946
Opcode ID: f6a1fad6a2d1943a0e2381304b03e1cdf60edfb8b75a63c81e8d43573a80688b
Instruction ID: 124e9bf80582069e0ababdf3c94a072e5be46f95dc4d0cf98b453a3069bb0362
Opcode Fuzzy Hash: f6a1fad6a2d1943a0e2381304b03e1cdf60edfb8b75a63c81e8d43573a80688b
Instruction Fuzzy Hash: DC7127B4D2421AEFCB44CFA9C5809AEFBB2FF48350F15951AD816A7314D374AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0925EFC8, Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

R[A, xrefs: 0925F01F

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID: R[A
API String ID: 0-2951331637
Opcode ID: ca28bd133bd180fabf9ce18c07c1c88387aed496b86ed58689b07f28c78fd2b6
Instruction ID: 0dbac786a9c4265c3ffb8decd2830f75576d6300f12bf91f3d4cd620f05a4b5f
Opcode Fuzzy Hash: ca28bd133bd180fabf9ce18c07c1c88387aed496b86ed58689b07f28c78fd2b6
Instruction Fuzzy Hash: 7541C770E2520ADBCB44CFAAC9806EEFBF2BB88350F24D469D415A7258D7349A418F95

Uniqueness

Uniqueness Score: -1.00%

Function 09250040, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

-, xrefs: 09254114

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: b0b359364aaa3bf1041a35785914cf9a8e98b0095c3ca5878822b6d1272e326b
Instruction ID: 4edae7c1055045a38a783b6527c2935d510b47bd0e0eefb5237136bab32cf1b1
Opcode Fuzzy Hash: b0b359364aaa3bf1041a35785914cf9a8e98b0095c3ca5878822b6d1272e326b
Instruction Fuzzy Hash: F1413071E156588BEB5CCF6B8C4078AFAF7AFC9300F14D1BA980DA6258DB7006858F11

Uniqueness

Uniqueness Score: -1.00%

Function 0313C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe1f9f4434df54307204417a86975b998bb8ad42d25ac025b57a01277c4ac00
Instruction ID: c7bb9d94b9df3d95f852a95ff593ce947a7a4a5e6a79877ac76e221a3506e5ca
Opcode Fuzzy Hash: 3fe1f9f4434df54307204417a86975b998bb8ad42d25ac025b57a01277c4ac00
Instruction Fuzzy Hash: D7525BB1500706CFD718EF24E4C81997BB2FB4A328F915218D1636B6D9D3B865CACFA4

Uniqueness

Uniqueness Score: -1.00%

Function 092574A0, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdff52d17f4015419c1902659c0c9c9df79d4014dce2a7719f0a6c640eac6c60
Instruction ID: e43c9ddfb504ef27ed72b48e55bce294309ab267f19d94a0f27786538aba59f2
Opcode Fuzzy Hash: cdff52d17f4015419c1902659c0c9c9df79d4014dce2a7719f0a6c640eac6c60
Instruction Fuzzy Hash: AEE1F531C2075A9ACB10EBA4D994A9DB7B1FFD5200F50CB9AE14977210EB706EC9CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03139970, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369456646.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5612372b398f7fc3a14037c92910543d57898feca294c8bf379ad2b27f9bd582
Instruction ID: 68ab9ce2390b984d7160549fd8354372acd22df7de37854ccd566dada70df5a0
Opcode Fuzzy Hash: 5612372b398f7fc3a14037c92910543d57898feca294c8bf379ad2b27f9bd582
Instruction Fuzzy Hash: 32A17D76E00719CFCF05DFB5C84459EBBB6FF8A300B19856AE805BB221EB31A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 092574B0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fc8bb47ab4a5aeca04b679b8c3b1159458be817a427e002c29aa1e8ad3b3a5
Instruction ID: abbbf9233bd9de45c55830f2ea1eaf38035834b7d6d9c40ed0c2a180405f93bd
Opcode Fuzzy Hash: 26fc8bb47ab4a5aeca04b679b8c3b1159458be817a427e002c29aa1e8ad3b3a5
Instruction Fuzzy Hash: C5D1E330C2065A9ACB10EBA4D994A9DB7B1FFD5200F50CB9AE10977214EB706EC9CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0925AFB0, Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a202f1b2be536359edc34eac4e42fd1f9587f0db970cde24d574fceeba3b9c
Instruction ID: 4bceae08a4a2af9e6746e93e10103d4365bf24b14e75503ac303f2158dd6191e
Opcode Fuzzy Hash: 98a202f1b2be536359edc34eac4e42fd1f9587f0db970cde24d574fceeba3b9c
Instruction Fuzzy Hash: 7BB1E974E1521ADFCB44EFA4D480A9EFBB2FF88310F108559E519AB358DB70A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0925F1E8, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c14907c977fe1b7b142bf9e095da70d68afcc2b6d22b243bb6e27aa5ecd875
Instruction ID: aac8ce9104cce4c9832bbad258077bd51658af409e90f5ff5d9a143dc124e453
Opcode Fuzzy Hash: 36c14907c977fe1b7b142bf9e095da70d68afcc2b6d22b243bb6e27aa5ecd875
Instruction Fuzzy Hash: 0961E3B4E252198FCB04CFAAD684ADEFBF2BB88350F24942AD805F7254D7749A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 09250006, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8ec91a2073a628b02b1ff97d4c13ae73a336a8a63c5a9de39ead8a2dd136e8
Instruction ID: ca7cfc185a3668abf79ba6f028b630b1bec6230d58566cd877ad6a33eee26cef
Opcode Fuzzy Hash: ea8ec91a2073a628b02b1ff97d4c13ae73a336a8a63c5a9de39ead8a2dd136e8
Instruction Fuzzy Hash: 6D419571E156588BEB1DCF678C40789FAF7AFC5210F18C1FAD84CAA265DA7406858F11

Uniqueness

Uniqueness Score: -1.00%

Function 0925A0E1, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376847190.0000000009250000.00000040.00000001.sdmp, Offset: 09250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022028b637d159e6605dea4be8bc95a0575af8ea4eacc803869c75b7c46769cc
Instruction ID: f29deca366e602617f143c1dc5ac4904e2ab06e0a39d086e5c943a7186eef8a0
Opcode Fuzzy Hash: 022028b637d159e6605dea4be8bc95a0575af8ea4eacc803869c75b7c46769cc
Instruction Fuzzy Hash: EC21FF71E156189FEB08CFABD80569EFBF7AFC9200F04C1BAD818A6254EB304556CF51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 6904 Parent PID: 6556 RegSvcs.exeCOMMON

Executed Functions

Function 01563D50, Relevance: 1.8, APIs: 1, Instructions: 303COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01564116

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 40040fe6ff30c125457ec5fe9938d562acef98ecef1a17bb1aafcc4cefb101fd
Instruction ID: fa284ac575552ee7f66fe362e8abe84c83b8b4c9d706c28978c6d815fb4322a2
Opcode Fuzzy Hash: 40040fe6ff30c125457ec5fe9938d562acef98ecef1a17bb1aafcc4cefb101fd
Instruction Fuzzy Hash: 2EC18B70A006069FDB54EF69C48466EBBF5FF88214B10892DE54ADB791EF74E841CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00F01328, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F01369

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 112b061ba45f94c1ffb46969df8ccd97ba174ed2812ff29c3447b5d88e16431c
Instruction ID: 7c7e3bfc0b05ddc22a6c816b0009655f94fc0239ab9583cc544893950bbfea7a
Opcode Fuzzy Hash: 112b061ba45f94c1ffb46969df8ccd97ba174ed2812ff29c3447b5d88e16431c
Instruction Fuzzy Hash: E0612D31A10209DFDB14EFB5D8587AEB7B6BF88315F148828E4029B394DF759845EF50

Uniqueness

Uniqueness Score: -1.00%

Function 060663F4, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0606B633

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e3883e670042b09b67f7dbf8223e674521fbd650866a578ea0c2392d9ddee66c
Instruction ID: 8c251e06883e87677c5be8163089b3bec0c5bf975c336550e55fb22d4fc84ed7
Opcode Fuzzy Hash: e3883e670042b09b67f7dbf8223e674521fbd650866a578ea0c2392d9ddee66c
Instruction Fuzzy Hash: 3B5101B0E002188FDB54DFAAC898BDEBBF1BF48314F158129E815BB351DB749854CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0606CAF8, Relevance: 20.5, APIs: 13, Instructions: 984libraryCOMMON

Download Yara Rule

APIs

UserClientDllInitialize.USER32 ref: 0606CB3D
SetProcessDPIAware.USER32 ref: 0606CC51
KiUserExceptionDispatcher.NTDLL ref: 0606CC96
KiUserExceptionDispatcher.NTDLL ref: 0606CCF1
KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$User$DispatcherException$Initialize$AwareBuffCharClassClientInfoProcessThunkUpper
String ID:
API String ID: 1389248888-0
Opcode ID: 33b621db8c5e4928bae0d918e738df29ddfb3cfb04e4db2ce03b030e0530d717
Instruction ID: 07db17a3d42a6d744fcf75b740fe121ddf9c58cc691649b8c2d1e09d573aa5a8
Opcode Fuzzy Hash: 33b621db8c5e4928bae0d918e738df29ddfb3cfb04e4db2ce03b030e0530d717
Instruction Fuzzy Hash: 64A217B4A40228CFCBA4EF20D85869DBBB6BF88305F5085E9D50AA7754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CB19, Relevance: 20.1, APIs: 13, Instructions: 637libraryCOMMON

Download Yara Rule

APIs

UserClientDllInitialize.USER32 ref: 0606CB3D
SetProcessDPIAware.USER32 ref: 0606CC51
KiUserExceptionDispatcher.NTDLL ref: 0606CC96
KiUserExceptionDispatcher.NTDLL ref: 0606CCF1
KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$User$DispatcherException$Initialize$AwareBuffCharClassClientInfoProcessThunkUpper
String ID:
API String ID: 1389248888-0
Opcode ID: 72a10081b93e6994b951cac0aeca72c4f31e5c4d15c8c557439e12f945b70a6c
Instruction ID: 1193a59990288aaee9c5fcff1070cb91cecc9477c1b472fe8ee59b69373833fb
Opcode Fuzzy Hash: 72a10081b93e6994b951cac0aeca72c4f31e5c4d15c8c557439e12f945b70a6c
Instruction Fuzzy Hash: 1E623874A44228CFCBA5EF20D85869DBBB6BF48205F5085E9D60AA3344DF349ED1CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0606CB5E, Relevance: 18.6, APIs: 12, Instructions: 630libraryCOMMON

Download Yara Rule

APIs

SetProcessDPIAware.USER32 ref: 0606CC51
KiUserExceptionDispatcher.NTDLL ref: 0606CC96
KiUserExceptionDispatcher.NTDLL ref: 0606CCF1
KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$DispatcherExceptionUser$AwareBuffCharClassInfoInitializeProcessThunkUpper
String ID:
API String ID: 1637386769-0
Opcode ID: 9162ce94016e07597ce1eda68475acc159799b1b6e5d2dad9ab355e7b3af1e84
Instruction ID: 94f73faff847c7c58696fd62813d0db4929979147f66fa755d094de64ea8855c
Opcode Fuzzy Hash: 9162ce94016e07597ce1eda68475acc159799b1b6e5d2dad9ab355e7b3af1e84
Instruction Fuzzy Hash: C8623874A44228CFCBA4EF20D85869DBBB6BF48205F5085E9D60AA3344DF349ED1CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0606CBA3, Relevance: 18.6, APIs: 12, Instructions: 623libraryCOMMON

Download Yara Rule

APIs

SetProcessDPIAware.USER32 ref: 0606CC51
KiUserExceptionDispatcher.NTDLL ref: 0606CC96
KiUserExceptionDispatcher.NTDLL ref: 0606CCF1
KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$DispatcherExceptionUser$AwareBuffCharClassInfoInitializeProcessThunkUpper
String ID:
API String ID: 1637386769-0
Opcode ID: 69bd814c0a2ed1f5650e713415154812f21a92c344be17b486a59868a2aff818
Instruction ID: 7a995e4bda333387480dfe6bd9de15997aea098789b900786a82596c1d48ff86
Opcode Fuzzy Hash: 69bd814c0a2ed1f5650e713415154812f21a92c344be17b486a59868a2aff818
Instruction Fuzzy Hash: 7F5238B4A44228CFCBA4EF20D85869DBBB6BF48205F5085E9D60AA3744DF349ED1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CBE8, Relevance: 18.6, APIs: 12, Instructions: 616libraryCOMMON

Download Yara Rule

APIs

SetProcessDPIAware.USER32 ref: 0606CC51
KiUserExceptionDispatcher.NTDLL ref: 0606CC96
KiUserExceptionDispatcher.NTDLL ref: 0606CCF1
KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$DispatcherExceptionUser$AwareBuffCharClassInfoInitializeProcessThunkUpper
String ID:
API String ID: 1637386769-0
Opcode ID: 9a830222777ca1f4649f54f126d3ffee123cf7ac721c3e120e540a2628ace81c
Instruction ID: fa32025935aeb91d84b51d6e9dce08f0a6dc12c3e6a4093beae4d6cee485ca90
Opcode Fuzzy Hash: 9a830222777ca1f4649f54f126d3ffee123cf7ac721c3e120e540a2628ace81c
Instruction Fuzzy Hash: 11523874A44228CFCBA4EF20D85869DBBB6BF48205F5085E9D60AA3344DF349ED1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CC2D, Relevance: 18.6, APIs: 12, Instructions: 609libraryCOMMON

Download Yara Rule

APIs

SetProcessDPIAware.USER32 ref: 0606CC51
KiUserExceptionDispatcher.NTDLL ref: 0606CC96
KiUserExceptionDispatcher.NTDLL ref: 0606CCF1
KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$DispatcherExceptionUser$AwareBuffCharClassInfoInitializeProcessThunkUpper
String ID:
API String ID: 1637386769-0
Opcode ID: b85410fe29aacad5ef31633cc3d2a4ce99c132edb485abc0ce891fadbae04ad4
Instruction ID: 083568406eafddb0f148ba14b84b1bec4053047a30ed2f130c820dcf374085ed
Opcode Fuzzy Hash: b85410fe29aacad5ef31633cc3d2a4ce99c132edb485abc0ce891fadbae04ad4
Instruction Fuzzy Hash: 835238B4A44228CFCBA4EF20D85869DBBB6BF48205F5085E9D60AA3744DF349ED1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CC72, Relevance: 17.1, APIs: 11, Instructions: 602libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0606CC96
KiUserExceptionDispatcher.NTDLL ref: 0606CCF1
KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$DispatcherExceptionUser$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 1230942428-0
Opcode ID: 30a4d904bb684528e6e4b89544bbb381ee99a02650de2065ceadb2d113874441
Instruction ID: 65852c49e6d28dc9c25415a0e709333408cffdf0554e7222ff385b11b6f0d75c
Opcode Fuzzy Hash: 30a4d904bb684528e6e4b89544bbb381ee99a02650de2065ceadb2d113874441
Instruction Fuzzy Hash: C55238B4A44228CFCBA4EF20D85869DBBB6BF48205F5085E9D60AA3344DF349ED1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CCCD, Relevance: 15.6, APIs: 10, Instructions: 591libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0606CCF1
KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$DispatcherExceptionUser$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 1230942428-0
Opcode ID: f25e2797d4eba957be5061f640738aadacc3f145a0e2f47a94e54be0c03ae362
Instruction ID: 8aeba49b93b8c18c05728a66a8d9b90832d3d645869b16f4e850180a3b83c38a
Opcode Fuzzy Hash: f25e2797d4eba957be5061f640738aadacc3f145a0e2f47a94e54be0c03ae362
Instruction Fuzzy Hash: 955227B4A44228CFCBA4EF20D85869DBBB6BF48205F5085E9D60AA3744DF349ED1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CD12, Relevance: 14.1, APIs: 9, Instructions: 584libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassDispatcherExceptionInfoInitializeThunkUpperUser
String ID:
API String ID: 1976226442-0
Opcode ID: d1ab4ac194ab543a4ad30c40433785c66529a0f0f63544b9b4f35603ff75148b
Instruction ID: 9c0422f766538e748216ac650f3bbd4c174ef8f0f38ad7232b9c6dac892604d6
Opcode Fuzzy Hash: d1ab4ac194ab543a4ad30c40433785c66529a0f0f63544b9b4f35603ff75148b
Instruction Fuzzy Hash: 4C5227B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3744DF349E91CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CD57, Relevance: 14.1, APIs: 9, Instructions: 577libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassDispatcherExceptionInfoInitializeThunkUpperUser
String ID:
API String ID: 1976226442-0
Opcode ID: d6a2587c5f1e006c812234d997e88e5e3cd1265efbd40ec10938f6ccd0fc7257
Instruction ID: e2785b8fe90a7d52af6b4b220f789ad686bec1964992f9961becc7a4d9de8c85
Opcode Fuzzy Hash: d6a2587c5f1e006c812234d997e88e5e3cd1265efbd40ec10938f6ccd0fc7257
Instruction Fuzzy Hash: 6A5227B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3744DF349E91CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CDB2, Relevance: 14.1, APIs: 9, Instructions: 566libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassDispatcherExceptionInfoInitializeThunkUpperUser
String ID:
API String ID: 1976226442-0
Opcode ID: 52fb61361d1743825e5530975f8e6487df538c34c41817d6ea7f6f38ceff0228
Instruction ID: 2dca8b57fbd6de4ccfa37c4e87652f7cfab7253425fedd3cb4f902d2aad5a841
Opcode Fuzzy Hash: 52fb61361d1743825e5530975f8e6487df538c34c41817d6ea7f6f38ceff0228
Instruction Fuzzy Hash: B64236B4A44228CFCBA4EF20D85869DBBB6BF48205F5085E9D60AA3354DF348ED1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CDF7, Relevance: 14.1, APIs: 9, Instructions: 559libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0606CE1B
CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassDispatcherExceptionInfoInitializeThunkUpperUser
String ID:
API String ID: 1976226442-0
Opcode ID: a48b46d187c0f410c6c6af26c115eec8ecfa039d56cd1187037a8af817c440dd
Instruction ID: 17279f152cc1096d25626bc1e6a0601c2038059ac88ffe0ad52d65a99e3ce6af
Opcode Fuzzy Hash: a48b46d187c0f410c6c6af26c115eec8ecfa039d56cd1187037a8af817c440dd
Instruction Fuzzy Hash: D54237B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3354DF349E91CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CE3C, Relevance: 12.6, APIs: 8, Instructions: 552libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: 49fb1902eba80f9ac36b138f4f2318db9c1ae984cc92d47212e47cf3d21ceb33
Instruction ID: 139549ea4200094bb7265a9e575c247f32f0e1f9ec2ba0f666d5c5b2b3f9dce7
Opcode Fuzzy Hash: 49fb1902eba80f9ac36b138f4f2318db9c1ae984cc92d47212e47cf3d21ceb33
Instruction Fuzzy Hash: C34237B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3354DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CE81, Relevance: 12.5, APIs: 8, Instructions: 543libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: c75adc46182fdc5c886d05beb2703a33932c123a339bc9603418a73d2a1b847e
Instruction ID: 9a51bf159065a92778984988dd9008fdd1a6486d9d8a1cdd0b73cf7346a88d51
Opcode Fuzzy Hash: c75adc46182fdc5c886d05beb2703a33932c123a339bc9603418a73d2a1b847e
Instruction Fuzzy Hash: C94238B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CEBD, Relevance: 12.5, APIs: 8, Instructions: 538libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: c5de885a160920626017046df99c55738dee2b27124151a1e8bdd3ffd8643e29
Instruction ID: 3743200fc9aa105215ea60740227ed54cca1bf7c2b854134257a81c35fbc8d6d
Opcode Fuzzy Hash: c5de885a160920626017046df99c55738dee2b27124151a1e8bdd3ffd8643e29
Instruction Fuzzy Hash: B44227B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CF02, Relevance: 12.5, APIs: 8, Instructions: 531libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: f886bd7a9e22d987e8425d70fc72be643a8e860f87d30b6b2d65034b989c9b82
Instruction ID: df96f872b018d9da431502cb55a259955b85899e2d5e765f2fdc06c5fd0460d2
Opcode Fuzzy Hash: f886bd7a9e22d987e8425d70fc72be643a8e860f87d30b6b2d65034b989c9b82
Instruction Fuzzy Hash: 1B4228B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CF47, Relevance: 12.5, APIs: 8, Instructions: 524libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: 2462212c753058f2d26eaa3c92f75448f9c374882ed2326b3bff143834abf054
Instruction ID: 9f121098087e86857c7b465d722d6d1b0ddfb9ac8a260d6f17260892c734da0c
Opcode Fuzzy Hash: 2462212c753058f2d26eaa3c92f75448f9c374882ed2326b3bff143834abf054
Instruction Fuzzy Hash: DC3228B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CF8C, Relevance: 12.5, APIs: 8, Instructions: 517libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: 63f861a8d91f722b1265df1ddb461a57ae19b0ae6364d55ed71b127724310c63
Instruction ID: c5cff39081dfe65d66a2e716d0ac459e9f8ed0cdd51f9ffe7ceeeaf878c82059
Opcode Fuzzy Hash: 63f861a8d91f722b1265df1ddb461a57ae19b0ae6364d55ed71b127724310c63
Instruction Fuzzy Hash: 4B3228B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606CFD1, Relevance: 12.5, APIs: 8, Instructions: 510libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: d90aa52199151ef057e49315470a8100c81ea081d2d41b8bf20a36d0ad2acb75
Instruction ID: 08e03fd0ba04ece646e6f2b68a4ab52a5e6139dce109425deb01608cae359501
Opcode Fuzzy Hash: d90aa52199151ef057e49315470a8100c81ea081d2d41b8bf20a36d0ad2acb75
Instruction Fuzzy Hash: 753228B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D016, Relevance: 12.5, APIs: 8, Instructions: 503libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: 9b37b1ea550a4a5da2b1c899502ee0e081f3469d86cb820e0015eb4c6937c4eb
Instruction ID: ea258e2e47ac0ac1e47a5b9a84c73c12749c2a16e329dd80cc7a80336577a666
Opcode Fuzzy Hash: 9b37b1ea550a4a5da2b1c899502ee0e081f3469d86cb820e0015eb4c6937c4eb
Instruction Fuzzy Hash: 843228B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D05B, Relevance: 12.5, APIs: 8, Instructions: 496libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: aae8652342a65b87ffa98f3918f0d4fd1e8347fa3710836353c4bebdbb1febe3
Instruction ID: 0627456e0a63dc70c4f0bcd8824e773659c6df6ff300fb34212db618ff9f8d49
Opcode Fuzzy Hash: aae8652342a65b87ffa98f3918f0d4fd1e8347fa3710836353c4bebdbb1febe3
Instruction Fuzzy Hash: 8E3218B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D0A0, Relevance: 12.5, APIs: 8, Instructions: 489libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: 08c3a2f011175a18ccf07070cb3a482f638f4447109a9b54f32feec8bee29c79
Instruction ID: 7097134d3ae5bbd0837d0edcce8c6577d5f6850aa678b436f22ae6a887454526
Opcode Fuzzy Hash: 08c3a2f011175a18ccf07070cb3a482f638f4447109a9b54f32feec8bee29c79
Instruction Fuzzy Hash: 383218B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9D60AA3754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D0E5, Relevance: 12.5, APIs: 8, Instructions: 480libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: f649c1215b02f0f175ab78b50cd918a10c6120dfa95a0064881e6fca2e51d3f1
Instruction ID: a50487f01c8a7946ec01dff92e0330623e44f25d7f12e97b0de8747e9f4f7a66
Opcode Fuzzy Hash: f649c1215b02f0f175ab78b50cd918a10c6120dfa95a0064881e6fca2e51d3f1
Instruction Fuzzy Hash: FA2228B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9E60A93754DF349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D223, Relevance: 12.4, APIs: 8, Instructions: 447libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: f9af9d38309899b2e200eab587e10106acc937d861154b4ab18a162e8673f1d1
Instruction ID: 2234892840785256b8fa144428beb55b0d5844f5c51d97d0131ea259d987ca07
Opcode Fuzzy Hash: f9af9d38309899b2e200eab587e10106acc937d861154b4ab18a162e8673f1d1
Instruction Fuzzy Hash: C82227B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9E60A93754DF348E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D26B, Relevance: 12.4, APIs: 8, Instructions: 440libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: f345d9fab5b510a58ae48730410fbcf30a348a022bd63a1609f2252fac0fd974
Instruction ID: 2a0fb71add0204c738713db48ece7f204bd5edadaabeca3151dfe40c377bb2d9
Opcode Fuzzy Hash: f345d9fab5b510a58ae48730410fbcf30a348a022bd63a1609f2252fac0fd974
Instruction Fuzzy Hash: F01216B4A44228CFCBA4EF20D85869DBBB6BF48305F5085E9E60A93754DF348E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D2B3, Relevance: 12.4, APIs: 8, Instructions: 433libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: e9221800b86085212b4333e19e826e5ec0085cc4ce31525c2277370430c45d4c
Instruction ID: 3b77e60cc113dcd875048bb6a44fd87b294e20a3f8b7deefa7348bbc8840d6ac
Opcode Fuzzy Hash: e9221800b86085212b4333e19e826e5ec0085cc4ce31525c2277370430c45d4c
Instruction Fuzzy Hash: C91215B4A04228CFCBA4EB20D85869DBBB6BF48305F50C5E9E60A93754DF348E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D2FB, Relevance: 12.4, APIs: 8, Instructions: 426libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: a5a19608bce841ab26837819c2f48b8546350c43d2a5d54af972c0f30553fbc6
Instruction ID: 8cc5848a82d34f457756eb2e1e7ae9a147d2fd8d3cb6c60834188c0dff5b36b3
Opcode Fuzzy Hash: a5a19608bce841ab26837819c2f48b8546350c43d2a5d54af972c0f30553fbc6
Instruction Fuzzy Hash: 3F1206B4A042288FCBA4EB20D85879DBBB6BF48305F50C5E9E60A93754DF349E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D343, Relevance: 12.4, APIs: 8, Instructions: 419libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: e5887302126e13e9ca512c99d70fcf04fee500b643bcf015a181ad640671fbe1
Instruction ID: 8d857855cc8ea2df52514b35c8ba2c2dea6ed9fd6042296de346a93cc5139440
Opcode Fuzzy Hash: e5887302126e13e9ca512c99d70fcf04fee500b643bcf015a181ad640671fbe1
Instruction Fuzzy Hash: 5D1207B4A042288FCBA4EB20D85879DBBB6BF48305F50C5E9E60A93754DF349E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D38B, Relevance: 12.4, APIs: 8, Instructions: 412libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: 9bb370cbf919b2d05fdb95e4c4f8027fa0b76b6890e7049445219114840252b0
Instruction ID: 5b9f82509056c4e5238c245da7cc6b1cbf6c4ad9f8a84d389003c00718b8efc5
Opcode Fuzzy Hash: 9bb370cbf919b2d05fdb95e4c4f8027fa0b76b6890e7049445219114840252b0
Instruction Fuzzy Hash: 2A1207B4A042288FCBA4EB20D85879DBBB6BF48305F50C5E9E60A93754DF349E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D3D3, Relevance: 12.4, APIs: 8, Instructions: 405libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: 62156f3bc8aa5edd65a5075e21269958cb15f74e93e1ba3d0761a921dadfec6d
Instruction ID: 03a890d99055653e9d9c341dffb863711c7a71d53767a91743b99c37a4f8e54c
Opcode Fuzzy Hash: 62156f3bc8aa5edd65a5075e21269958cb15f74e93e1ba3d0761a921dadfec6d
Instruction Fuzzy Hash: 350207B4A042288FCBA4EB20D85879DBBB6BF88305F50C5E9E50A93754DF349E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D41B, Relevance: 12.4, APIs: 8, Instructions: 398libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: 322b6fd71c4361fe98a1b7c7e8f746a9da53ed061656116af00fed891bfc7cff
Instruction ID: 0ea7c5fceb560452099f9006027dbcb1b5636bb2a758d77c1b5dc53111254d33
Opcode Fuzzy Hash: 322b6fd71c4361fe98a1b7c7e8f746a9da53ed061656116af00fed891bfc7cff
Instruction Fuzzy Hash: B80205B4A042288FCBA4EB20D85879DBBB6BF88305F50C5E9E50A93754DF349E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0606D463, Relevance: 12.4, APIs: 8, Instructions: 391libraryCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32 ref: 0606D4C7
EnumDisplaySettingsA.USER32 ref: 0606D4F1
EnumDisplaySettingsA.USER32 ref: 0606D51F
EnumDisplaySettingsA.USER32 ref: 0606D54D
EnumDisplaySettingsA.USER32 ref: 0606D57B
EnumDisplaySettingsA.USER32 ref: 0606D5A9
LdrInitializeThunk.NTDLL ref: 0606D5B5
GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: DisplayEnumSettings$BuffCharClassInfoInitializeThunkUpper
String ID:
API String ID: 4222128061-0
Opcode ID: 11b424a376e5bbb03848248914d497cbe77ffa6649f54d62daff2679f8a92636
Instruction ID: 647b7bed150d06e2cb39a6dcc3a5f5ddac7d0f04d7ad07e4e33c4fd32e1d921f
Opcode Fuzzy Hash: 11b424a376e5bbb03848248914d497cbe77ffa6649f54d62daff2679f8a92636
Instruction Fuzzy Hash: 200205B4A042288FCBA4EB30D85879DBBB6AF88305F50C5E9E50A93754DF349E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01566940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 015669A0
GetCurrentThread.KERNEL32 ref: 015669DD
GetCurrentProcess.KERNEL32 ref: 01566A1A
GetCurrentThreadId.KERNEL32 ref: 01566A73

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2db9eaeb018182423a70cf2a906ce8b7e692e69fd790cc900935fd2401dbcc15
Instruction ID: d5b0c4627efb2fda3818913467bb7d95d50f531946cb2ee79ebe5ae519733d67
Opcode Fuzzy Hash: 2db9eaeb018182423a70cf2a906ce8b7e692e69fd790cc900935fd2401dbcc15
Instruction Fuzzy Hash: FB5164B09116098FDB14CFAAD948BDEBBF4BF88314F208459E419A7390CB74A844CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F019F8, Relevance: 3.4, APIs: 2, Instructions: 411COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32(?,?,?,00000000,?,?), ref: 00F01F38
AreDpiAwarenessContextsEqual.USER32(?,?,?,00000000,?,?), ref: 00F01F76

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 36c0c15656d612bf3eb55d498b80283ca2a3b3129ef7caee3226a5990fd2e4b8
Instruction ID: 5e263be83d1fe412a960bfa6f2c1e4b62a8541a901e1d149908015bbdf0d7562
Opcode Fuzzy Hash: 36c0c15656d612bf3eb55d498b80283ca2a3b3129ef7caee3226a5990fd2e4b8
Instruction Fuzzy Hash: 79F19930A052498FCB14EBB4D8586AEBBB2BF85304F25C4A9D405DB3A5DB39DC06EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F0E590, Relevance: 3.3, APIs: 2, Instructions: 256COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F0E7F8
AreDpiAwarenessContextsEqual.USER32 ref: 00F0E836

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 446390f9aaf5f15b0e89a30b6f7f7030cdc75e59d51ab40cb6f08a6c3f46b4d9
Instruction ID: cd25060605d1477c128081fbca7f6a9a0ffb4d798f4bfd2eece3877c8a6dd2c7
Opcode Fuzzy Hash: 446390f9aaf5f15b0e89a30b6f7f7030cdc75e59d51ab40cb6f08a6c3f46b4d9
Instruction Fuzzy Hash: D991B130B093818FD742D77498186AA7FF5AF96310F1984F6D048CB2A7EA69CC09DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F01660, Relevance: 3.2, APIs: 2, Instructions: 244COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F01910
AreDpiAwarenessContextsEqual.USER32 ref: 00F0194E

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 08090fe6a8aa9f2f44b779a4e718e733dc63d310cfdca277cc45db8491fba4f3
Instruction ID: 5c73ab381bb0a7867eebdcf716edc4ba1c5895f6308503e13a9ae31a8d376502
Opcode Fuzzy Hash: 08090fe6a8aa9f2f44b779a4e718e733dc63d310cfdca277cc45db8491fba4f3
Instruction Fuzzy Hash: 9D91AE30F012058FCB54EBB4C4586AEBBF6BF89314F14C5AAD409EB391EB349D469B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F031B8, Relevance: 3.2, APIs: 2, Instructions: 228COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F033E0
AreDpiAwarenessContextsEqual.USER32 ref: 00F0341E

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: f9df9754b94ca59e96cfc8ef6a5d7997337e1ea143a5f92ef3bd8bcc08007f64
Instruction ID: ed936f274f21aefd319b897e4575ef645686188a220e1a5ab4927d895d26a1c9
Opcode Fuzzy Hash: f9df9754b94ca59e96cfc8ef6a5d7997337e1ea143a5f92ef3bd8bcc08007f64
Instruction Fuzzy Hash: 5981A230B093C18FD742EB7898186AA7FF59F96300F5584BBD448CB2A6DA29CD06D751

Uniqueness

Uniqueness Score: -1.00%

Function 00F0E880, Relevance: 3.1, APIs: 2, Instructions: 87COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F0E918
AreDpiAwarenessContextsEqual.USER32 ref: 00F0E956

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 85a31d8634507ec3f080318636d0c0485cd73576f74b8d7e220055e05097e1ce
Instruction ID: b2c6fdcc5535550bde068736383700c64ebc1f6d9122344163de2035c2e8da36
Opcode Fuzzy Hash: 85a31d8634507ec3f080318636d0c0485cd73576f74b8d7e220055e05097e1ce
Instruction Fuzzy Hash: 3F31D730B083458FCB41EB78DC545AE7BF5AF8A310B50C47AD049D7396EA388C069B91

Uniqueness

Uniqueness Score: -1.00%

Function 0606FEC8, Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 0606FF50
AreDpiAwarenessContextsEqual.USER32 ref: 0606FF8E

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 2b3157de72e61d3de981da87563702f5ea898ab588a33d2d5a1c9cf2b9c036c1
Instruction ID: 5aa7d317afc722831557e2baa008e99dd99071421a01dbdf1ffde97501717f2b
Opcode Fuzzy Hash: 2b3157de72e61d3de981da87563702f5ea898ab588a33d2d5a1c9cf2b9c036c1
Instruction Fuzzy Hash: AF219230B142468FCB80EB79D8546AE7BF6BF89704B50C475E009EB355EB38DC028B90

Uniqueness

Uniqueness Score: -1.00%

Function 00F0FB06, Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F0FB50
AreDpiAwarenessContextsEqual.USER32 ref: 00F0FB8E

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 90ac4a9a004ff74f68c21739841d3ed80d9c426c03d33083f4f77348a658b891
Instruction ID: a5b9dbc6dfb45856aac383d03fe70de4f8d7588c7d2dc63c40fb8deff7a4960c
Opcode Fuzzy Hash: 90ac4a9a004ff74f68c21739841d3ed80d9c426c03d33083f4f77348a658b891
Instruction Fuzzy Hash: 4A118231F102199FCB90EB78DC515EE77F5FB89610750C429E049E7355EA385C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F0E8E0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F0E918
AreDpiAwarenessContextsEqual.USER32 ref: 00F0E956

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: c65aade894da97ccd35f71ae43ac5b85513828a82ca928681b861df141775d76
Instruction ID: fd6851d29244e5075860a35ac3854480adad28e46617f85256e051efc6cf92eb
Opcode Fuzzy Hash: c65aade894da97ccd35f71ae43ac5b85513828a82ca928681b861df141775d76
Instruction Fuzzy Hash: 01115271F001198F8F90FB78D85099E77F5FB88614750C529E509E7354EB389D029B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F033A8, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F033E0
AreDpiAwarenessContextsEqual.USER32 ref: 00F0341E

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 0c94b91375694588f21d4ad5537abc793c31e4e455a228218832686a800d088d
Instruction ID: a1a4028693c672196e67d6fbab1fb35bde79137e71ebf01816d687c3554598e8
Opcode Fuzzy Hash: 0c94b91375694588f21d4ad5537abc793c31e4e455a228218832686a800d088d
Instruction Fuzzy Hash: 6A112735F101198F8B50FBB8D851AAE77F6EF88610B608429E109E7355EA389D029BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0FB18, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F0FB50
AreDpiAwarenessContextsEqual.USER32 ref: 00F0FB8E

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 5c8cea4ce069361edd23024b7f57b406ffa7d5ec5ffae0586d4e722cb1633a63
Instruction ID: c33c1723136c1afb2a6f79a43bcf197b1d03e57431168dfd8921f40170696e04
Opcode Fuzzy Hash: 5c8cea4ce069361edd23024b7f57b406ffa7d5ec5ffae0586d4e722cb1633a63
Instruction Fuzzy Hash: DF113031F101198F8F50EBB8D8509AE77F5FB89610750C529E509E7354EB349D029B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F01F00, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32(?,?,?,00000000,?,?), ref: 00F01F38
AreDpiAwarenessContextsEqual.USER32(?,?,?,00000000,?,?), ref: 00F01F76

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 7ca733a77909f1e5c74f7e6f1bcc2f5e769b8c45f269b2fac9648be4a317e0dd
Instruction ID: f0d1d5e067be58fa0cb7261f90f4a368e25d932138a522a08baa6563180c130f
Opcode Fuzzy Hash: 7ca733a77909f1e5c74f7e6f1bcc2f5e769b8c45f269b2fac9648be4a317e0dd
Instruction Fuzzy Hash: 9A113C35F101198F8B90EBB8D840AEE77F5FB88714B508429E109E7354EB349D019BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0606F730, Relevance: 1.9, APIs: 1, Instructions: 352COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32(00000001,?,00000000,00000000,?,00000000), ref: 0606F806

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 69aca59e239f2704ff1a29c1f8a642aff882c2249aab281baeb79099faa21607
Instruction ID: c801c2d0f6d9a5c6169ad38578cfd4198b530fbd0ecf9fd2009ddd1357535b9e
Opcode Fuzzy Hash: 69aca59e239f2704ff1a29c1f8a642aff882c2249aab281baeb79099faa21607
Instruction Fuzzy Hash: 52D13D74F502058FDB94DBA9E498BAEBBF2EF89310F149429F406EB391DA70DC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 0606F720, Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32(00000001,?,00000000,00000000,?,00000000), ref: 0606F806

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: da56810bb2787af5a8449ed0dcbc4de5b36e2b5f9b3fed96354a5919cdb06eb5
Instruction ID: dc94f402ba910bf29603ae926033cc294ff5ed1b8269e6951d8bf131415c8765
Opcode Fuzzy Hash: da56810bb2787af5a8449ed0dcbc4de5b36e2b5f9b3fed96354a5919cdb06eb5
Instruction Fuzzy Hash: C7C16F74E502068FDB94DBA5E494BAEBBF2EF89310F149469F406EB391DB30DC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 0606D916, Relevance: 1.7, APIs: 1, Instructions: 219COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32 ref: 0606D9CD

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 996cfcd11c8ba4fb8006de125865e7e1c69ad0bb3331375a2869cb2acee9182a
Instruction ID: b96df91c62186acc58df76978c1bdaa1b88371f90a9fe79bfdefeee264e28102
Opcode Fuzzy Hash: 996cfcd11c8ba4fb8006de125865e7e1c69ad0bb3331375a2869cb2acee9182a
Instruction Fuzzy Hash: 74A15DB4A44228CFCBA4EB30C85479DBBB6BF88205F5084E9D60A97744DF349E85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01565030, Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ebda11551e6abed70d21a92435c95b1389f410c18148a688e06716a66ee359
Instruction ID: a49ef3266966d240318c46338e4bd1ed999f0c912f83b05ef5f3a13887e07f00
Opcode Fuzzy Hash: 35ebda11551e6abed70d21a92435c95b1389f410c18148a688e06716a66ee359
Instruction Fuzzy Hash: 92511FB1C10249EFDF11CFA9C880ACEBFB5BF48350F24812AE918AB220D7719955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06069760, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ef8d3645274804064d1a0e0da784f4d6acade7050130157d9dff8b1c9c4ed9
Instruction ID: c9ae0d6bb537f7a2a37b495a83e619fb17586e1bffc1f8f6587d8c3cfbfd26ac
Opcode Fuzzy Hash: 49ef8d3645274804064d1a0e0da784f4d6acade7050130157d9dff8b1c9c4ed9
Instruction Fuzzy Hash: D45113B0D002188FDB54DFAAC899BDEBBF1BF48314F158129E815BB351DB749844CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0606B4ED, Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0606B633

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 616457efdb4213ac7e9166ed2b8495896f9c3d779fa1071540b8aaf5d6e142f0
Instruction ID: c95aa1622da129e2363a78e1c8f8343bb2203c09efb83fde15a8dd203c428026
Opcode Fuzzy Hash: 616457efdb4213ac7e9166ed2b8495896f9c3d779fa1071540b8aaf5d6e142f0
Instruction Fuzzy Hash: 7F5113B0E002188FDB54CFAAC899BDDBBF1BF48314F15812AE815BB391DB749844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0606976C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0606B633

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: d9ab7a0cb88260a0abcc6dc13a16cc1377e0edd0d7938bfc0f7571345210d058
Instruction ID: 448583e87ad232d8a4f0aaaac55bf9d229a0fafdfc97baab53cbc64424abee26
Opcode Fuzzy Hash: d9ab7a0cb88260a0abcc6dc13a16cc1377e0edd0d7938bfc0f7571345210d058
Instruction Fuzzy Hash: 545102B0D002188FDB54DFAAC898BDDBBF1BF48314F158129E815BB351DB749854CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00F00A00, Relevance: 1.6, APIs: 1, Instructions: 123registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00F00B19

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2dc6992a23daa324e1d035e3e4692f6d5fd9aa49ba76d9abad4d31c324ad0b09
Instruction ID: 8b36ec70dd3f6e0f2ca929f15c1c58f128a6f6414ced9b84a537b32f8eb87a72
Opcode Fuzzy Hash: 2dc6992a23daa324e1d035e3e4692f6d5fd9aa49ba76d9abad4d31c324ad0b09
Instruction Fuzzy Hash: 074137B1E052589FCB10CFA9C484BDEBBF5AF88314F14806AE848EB291DB749845DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F00748, Relevance: 1.6, APIs: 1, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 00F0085C

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b33f7bc1d0d2f3d24ccb2d0b90e5b6f9439f38de0afeb1241074a879741320b6
Instruction ID: 31fee9402fa7085c35b1ba006cc5866842e3b700d0527c330787266a3973bcdf
Opcode Fuzzy Hash: b33f7bc1d0d2f3d24ccb2d0b90e5b6f9439f38de0afeb1241074a879741320b6
Instruction Fuzzy Hash: 2C4165B0D052499FDB10CFA8C448B9EBBF5BF49314F18C16AE408AB281DB799845DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01565090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015651A2

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 729624b89a08412368c287684107dd39153002bca66379016b84f6c60be5391c
Instruction ID: e52c37228c61cd6131f7caaa360843cb418824ec14d8bc87fe6ae2d45296127d
Opcode Fuzzy Hash: 729624b89a08412368c287684107dd39153002bca66379016b84f6c60be5391c
Instruction Fuzzy Hash: A341AFB1D10309DFDF14CF99C884ADEBBB5BF88354F64852AE819AB210DB74A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0156779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01567F09

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e71a69be7d2203188e7bdba42b2f47e4884e84ca057d7cebe74f94d74abaef1d
Instruction ID: 9411678e45237839f388b053fd4826eaf8219eedfa75432c34092518adac9cd1
Opcode Fuzzy Hash: e71a69be7d2203188e7bdba42b2f47e4884e84ca057d7cebe74f94d74abaef1d
Instruction Fuzzy Hash: FA414CB59002058FDB14CF99C488AAAFBF9FF8C318F24C959E519AB311D734A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F00080, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00F00B19

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 08131911f4d4fc9e42c12efaf50557d31a1e83b4483f2be881a56330652e08ec
Instruction ID: af6028a0ca37dd4e5326f461d4a304f4c3162167b2fc26c2fa17883945938fab
Opcode Fuzzy Hash: 08131911f4d4fc9e42c12efaf50557d31a1e83b4483f2be881a56330652e08ec
Instruction Fuzzy Hash: 4031FFB1D002589FCB20CF9AC884BDEBBF5BF48714F54802AE819AB350DB749945DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F007A8, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 00F0085C

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9abf41c536c2c32360253f18e69791aee7c5a54e3e82fcfcdc1d7433c01bca99
Instruction ID: 7d9db98f84a031c953161a73d28db95745ac95938fbb4201d2c33aac8b798a42
Opcode Fuzzy Hash: 9abf41c536c2c32360253f18e69791aee7c5a54e3e82fcfcdc1d7433c01bca99
Instruction Fuzzy Hash: 1531EEB1D012489FDB10CF99C584B8EFBF5BF48314F29C16AE409AB241C7759984DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01564080, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01564116

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 44d827f8ceeb2ff559a9c55089152fdd6ee84e48a1c539ffb65544aff8d2ba88
Instruction ID: d81f8861b6ac7bb8df3373faa886c335de4a751b41744f95747c84124bfd113e
Opcode Fuzzy Hash: 44d827f8ceeb2ff559a9c55089152fdd6ee84e48a1c539ffb65544aff8d2ba88
Instruction Fuzzy Hash: BE2169B1C017448FDB24CF9AC84478EBBF4EF89224F14855AD418AB251D374A546CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01566B62, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01566BEF

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 404316a8c2adeb9d2a16e4a8561eede08c208fb9db75931596fc0f1327e03aca
Instruction ID: 64e90a6d29cff3fbb5f797b8f24c7b083abd84e7b7879e5d09a7199eff73cb46
Opcode Fuzzy Hash: 404316a8c2adeb9d2a16e4a8561eede08c208fb9db75931596fc0f1327e03aca
Instruction Fuzzy Hash: 2A21E3B5900208AFDB10DFA9D984ADEBBF8FB48320F14841AE914A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01566B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01566BEF

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 60174b09b4b5768052e5c2ad7e2b6966bec562b748394024a3dd550ff0710a45
Instruction ID: 2d038c1314c8ab6ef854f464a0a686768df9a481b5689da8d1d0b5ee4eec8c23
Opcode Fuzzy Hash: 60174b09b4b5768052e5c2ad7e2b6966bec562b748394024a3dd550ff0710a45
Instruction Fuzzy Hash: 8A21D3B5D00249AFDB10CFAAD984ADEBBF8FB48324F14841AE914A7310D774A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0156BE78, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0156BF02

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 8fd4ff7ab35f7d99a088154febfc76c01d7028ce3860d0d746cc07d89b086d14
Instruction ID: d5ca0f97f5a18ced04b23e4cb71c15d6bc2be6b9ab153db5731271e56f966bc6
Opcode Fuzzy Hash: 8fd4ff7ab35f7d99a088154febfc76c01d7028ce3860d0d746cc07d89b086d14
Instruction Fuzzy Hash: 142198B19163458EDB20DFA9C80838ABFF8FB05320F14896AE014A7292D7386904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0156BE88, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0156BF02

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 0782b6e9f99c919cfc939aabc47e4327c9a48070730282a53e47e06cca662dae
Instruction ID: 37f6ef1716df70fa2d98f72879e020672cf9cc1634b09a47c4959c685f8a5c45
Opcode Fuzzy Hash: 0782b6e9f99c919cfc939aabc47e4327c9a48070730282a53e47e06cca662dae
Instruction Fuzzy Hash: 701189B19123098FDB20DFA9D80879EBBF8FB44324F208529E414A7751C7796944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01563300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01564116

Memory Dump Source

Source File: 00000005.00000002.601881062.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9b2c9e038956b1e6702e5fef503c445f3f62460f125890a0cccbb24149fd2f2c
Instruction ID: 6a8d72745fccbd8c17bbb56ba0dd807f2b98ae3a65892d1af2820dedfec5c39a
Opcode Fuzzy Hash: 9b2c9e038956b1e6702e5fef503c445f3f62460f125890a0cccbb24149fd2f2c
Instruction Fuzzy Hash: BF1134B1D006498FDB20DF9AC444BDEFBF8FB89220F10842AD829BB200C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0E81F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F0E836

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: c8d240907675551b81532cbf352eecfdd29e24a2ca4c8896b3c945c45f1fd1d3
Instruction ID: 4e2cbd1d8544f5f362236a3b4eb0f9c2bcf34a58dd7f768634f7e990b6ae13d3
Opcode Fuzzy Hash: c8d240907675551b81532cbf352eecfdd29e24a2ca4c8896b3c945c45f1fd1d3
Instruction Fuzzy Hash: 78E06D76F000148B8F90FBB8D8405DD77F1FF88610B008061E505E3364EF389C128B61

Uniqueness

Uniqueness Score: -1.00%

Function 00F03407, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F0341E

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 4026bd3fdf88b2ec4435d7fdad8b9f2afa36c8e987daa047d5d70469b990b53d
Instruction ID: 8278c07ac2fcb3d90d47cd969b28ea5fc3996d189f66baead78d26fc358bbeae
Opcode Fuzzy Hash: 4026bd3fdf88b2ec4435d7fdad8b9f2afa36c8e987daa047d5d70469b990b53d
Instruction Fuzzy Hash: E5E06D35F000148B8F40FBB8D8419DD73F1EFC8610B1080A1E109E7355EE389C018B61

Uniqueness

Uniqueness Score: -1.00%

Function 00F0FB77, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F0FB8E

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 5f81970dbf40597e4d6735ac0f450d35f978df5124d0e09ed41e4de7843a7a24
Instruction ID: bf2906dd7c9ae08bec541a98568ccb9445ee6254d5e8fa88e745276690271d7d
Opcode Fuzzy Hash: 5f81970dbf40597e4d6735ac0f450d35f978df5124d0e09ed41e4de7843a7a24
Instruction Fuzzy Hash: D8E06D35F000188BCF90FBB8D8504DD73F1EFC8610B008061E505E3394EE389C128BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F01F5F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32(?,?,?,00000000,?,?), ref: 00F01F76

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: c7bacdbc5f93dd6159297cb976524189db9db7be4be1cda409e956910290550f
Instruction ID: 3db20bb8674f06d0d8dd867e594f13d931947e192bd13d1083b9e8d097b6f77d
Opcode Fuzzy Hash: c7bacdbc5f93dd6159297cb976524189db9db7be4be1cda409e956910290550f
Instruction Fuzzy Hash: BCE03936B000148B9F90FBA8D8404DD77F1BB88614B0080A0E105E3354EE289C018B61

Uniqueness

Uniqueness Score: -1.00%

Function 00F01937, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F0194E

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 772630068f1eb9a0b65b98841038beefb00a69fb72e1153d35a91c917daa5aab
Instruction ID: 8bcdeaa44d4e71e26caed92ea1291ac32eca7fc47520e7a16fb796277b299ec3
Opcode Fuzzy Hash: 772630068f1eb9a0b65b98841038beefb00a69fb72e1153d35a91c917daa5aab
Instruction Fuzzy Hash: 05E0ED75F000148BCF54FBB9DC555DDB7F1EF88624B108065E509E7399EE389C119BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0E93F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 00F0E956

Memory Dump Source

Source File: 00000005.00000002.600714979.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: f11d49f9aa02e60876fb93ba04578b94503e41f8b0306fddbd8741b9b3b41592
Instruction ID: 773c89a71582b6298b94e160b1b5727d821974ca104fe23dbd6f569d181f996b
Opcode Fuzzy Hash: f11d49f9aa02e60876fb93ba04578b94503e41f8b0306fddbd8741b9b3b41592
Instruction Fuzzy Hash: DFE0ED75F001148B8F90FBB9E8445DD77F1FF88614B10C565E505E7394EE389C129B61

Uniqueness

Uniqueness Score: -1.00%

Function 0606FF77, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

AreDpiAwarenessContextsEqual.USER32 ref: 0606FF8E

Memory Dump Source

Source File: 00000005.00000002.607468753.0000000006060000.00000040.00000001.sdmp, Offset: 06060000, based on PE: false

Similarity

API ID: AwarenessContextsEqual
String ID:
API String ID: 4087515300-0
Opcode ID: 8206615bb7ceefce2f82579a7dc6db439a0f0e840ae8d9af6a5bc86a113fb587
Instruction ID: f4d7e0d74faf3087a2b6c459bcfc85e37d8907cc6c2d7a46ae7e9259c12bb34d
Opcode Fuzzy Hash: 8206615bb7ceefce2f82579a7dc6db439a0f0e840ae8d9af6a5bc86a113fb587
Instruction Fuzzy Hash: 16E0C975B500188B9F90FBA9D8554ED77F1EF88614B0084A5E509E7354EE289C528B61

Uniqueness

Uniqueness Score: -1.00%

Function 0136D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.601613719.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36853e9317b4a480b810890274b1c275ee19ed5ec338f230138f37b9b57f8dfe
Instruction ID: 9fc7aaef57938142ebaff74c2e9044ac16bacac5aea24e7830949264076d151c
Opcode Fuzzy Hash: 36853e9317b4a480b810890274b1c275ee19ed5ec338f230138f37b9b57f8dfe
Instruction Fuzzy Hash: 14212571604244EFDB11DF54D8C0B26BB69FB8435CF24C56DE9894B24AC336D807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0136D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.601613719.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e28340385b1710160ca1763a38498d136049f55007f6243fe0149fbfabe2558
Instruction ID: f379767ca955e96c5de5fcd35c22693d252e932d63b32f1793039f64dd1bf1c5
Opcode Fuzzy Hash: 8e28340385b1710160ca1763a38498d136049f55007f6243fe0149fbfabe2558
Instruction Fuzzy Hash: BC118E75504280DFDB12CF54D5C4B15BB71FB85318F24C6A9D8494B65AC33AD44BCB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SAUDI ARAMCO Tender Documents - BOQ and ITB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre