Play interactive tour

Edit tour

Windows Analysis Report ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Overview

General Information

Sample Name:	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Analysis ID:	458887
MD5:	4eb106d21c787c7b4215721673e15b39
SHA1:	2600e6b0ea8e3d39d4001ed0f8a35a87fc716566
SHA256:	9fcdd20c1848723a889fd4ebb88e52a2cb9fae8ec9e8cfe70d8e9706ef3e8992
Tags:	exenull
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Contains functionality to detect virtual machines (SGDT)

Contains functionality to detect virtual machines (SMSW)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe (PID: 5748 cmdline: 'C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe' MD5: 4EB106D21C787C7B4215721673E15B39)

ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe (PID: 7008 cmdline: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe MD5: 4EB106D21C787C7B4215721673E15B39)

EnhancementRadio.exe (PID: 7104 cmdline: 'C:\Users\user\AppData\Local\EnhancementRadio.exe' MD5: 4EB106D21C787C7B4215721673E15B39)

EnhancementRadio.exe (PID: 4308 cmdline: 'C:\Users\user\AppData\Local\EnhancementRadio.exe' MD5: 4EB106D21C787C7B4215721673E15B39)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "serena@mbalikova.com", "Password": "Pp88347521@", "Host": "mail.privateemail.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000017.00000002.471689095.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000017.00000002.471689095.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.378760193.0000000003C07000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.378760193.0000000003C07000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.378128189.0000000003A31000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.378128189.0000000003A31000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.375822190.0000000002B18000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.375822190.0000000002B18000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 5748	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 7008	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 7008	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3b8fd20.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3b8fd20.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3ab0f50.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3ab0f50.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3a39930.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3a39930.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "serena@mbalikova.com", "Password": "Pp88347521@", "Host": "mail.privateemail.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Metadefender: Detection: 40%	Perma Link
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Metadefender: Detection: 40%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Show sources

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Virustotal: Detection: 62%	Perma Link
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Metadefender: Detection: 40%	Perma Link
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	ReversingLabs: Detection: 60%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Joe Sandbox ML: detected

Source: 23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp	String found in binary or memory: http://yFwcGw.com
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp, ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.471689095.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8B859ACDu002dEC05u002d4F97u002dA182u002d503756A5D418u007d/u003551ECFC5u002d5F7Au002d4F71u002dA5B9u002dC0011D79C891.cs

Large array initialization: .cctor: array initializer size 11762

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_053F1D0C	1_2_053F1D0C
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_053F2580	1_2_053F2580
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_053F1CDC	1_2_053F1CDC
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_053FB078	1_2_053FB078
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_053FB088	1_2_053FB088
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_053F3A70	1_2_053F3A70
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_053F3A80	1_2_053F3A80
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_08BF8640	1_2_08BF8640
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_08BF5560	1_2_08BF5560
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_08BF5552	1_2_08BF5552
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_08BF868B	1_2_08BF868B
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_08BF8630	1_2_08BF8630
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 23_2_02A046E0	23_2_02A046E0
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 23_2_02A045F0	23_2_02A045F0
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 24_2_0109E7C0	24_2_0109E7C0
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 24_2_0109E7D0	24_2_0109E7D0
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 24_2_0109D6D4	24_2_0109D6D4
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 24_2_08725560	24_2_08725560
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 24_2_08725552	24_2_08725552
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 24_2_08725532	24_2_08725532
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 24_2_08877F90	24_2_08877F90
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 26_2_0287E7C3	26_2_0287E7C3
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 26_2_0287E7D0	26_2_0287E7D0
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 26_2_0287D6D4	26_2_0287D6D4
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 26_2_087A7F90	26_2_087A7F90

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.382320806.0000000007370000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000000.204729570.00000000006BA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameown.exe vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.383035381.0000000008A90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWoanfffwean.dll" vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBVoWIYyQAeyHveWEjGRLxTDoHTkDhenJQ.exe4 vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.375325730.0000000002A31000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.383133526.0000000008B10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.381963624.0000000007240000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.375822190.0000000002B18000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000003.371342233.0000000003C5E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJhtolvacgwrosce.dll@ vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000000.372930516.000000000087A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameown.exe vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.472265201.0000000000438000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameBVoWIYyQAeyHveWEjGRLxTDoHTkDhenJQ.exe4 vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.480718419.00000000050F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Binary or memory string: OriginalFilenameown.exe vs ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: EnhancementRadio.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/5@0/0

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

File created: C:\Users\user\AppData\Local\EnhancementRadio.exe

Jump to behavior

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

File created: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Jump to behavior

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Virustotal: Detection: 62%
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Metadefender: Detection: 40%
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

File read: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe 'C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe'
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process created: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\EnhancementRadio.exe 'C:\Users\user\AppData\Local\EnhancementRadio.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\EnhancementRadio.exe 'C:\Users\user\AppData\Local\EnhancementRadio.exe'
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process created: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, Wuxppeyyvhchfuadyyylbmc/Form1.cs	.Net Code: InterruptExporter System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: EnhancementRadio.exe.1.dr, Wuxppeyyvhchfuadyyylbmc/Form1.cs	.Net Code: InterruptExporter System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.1.dr, Wuxppeyyvhchfuadyyylbmc/Form1.cs	.Net Code: InterruptExporter System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.630000.0.unpack, Wuxppeyyvhchfuadyyylbmc/Form1.cs	.Net Code: InterruptExporter System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 23.0.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.7f0000.0.unpack, Wuxppeyyvhchfuadyyylbmc/Form1.cs	.Net Code: InterruptExporter System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.7f0000.1.unpack, Wuxppeyyvhchfuadyyylbmc/Form1.cs	.Net Code: InterruptExporter System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 24.2.EnhancementRadio.exe.660000.0.unpack, Wuxppeyyvhchfuadyyylbmc/Form1.cs	.Net Code: InterruptExporter System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 24.0.EnhancementRadio.exe.660000.0.unpack, Wuxppeyyvhchfuadyyylbmc/Form1.cs	.Net Code: InterruptExporter System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 26.0.EnhancementRadio.exe.550000.0.unpack, Wuxppeyyvhchfuadyyylbmc/Form1.cs	.Net Code: InterruptExporter System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 26.2.EnhancementRadio.exe.550000.0.unpack, Wuxppeyyvhchfuadyyylbmc/Form1.cs	.Net Code: InterruptExporter System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Static PE information: 0xB5F6BF93 [Mon Sep 27 21:03:15 2066 UTC]

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 1_2_08BF18AA push ebp; iretd	1_2_08BF18B0
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Code function: 23_2_02A0DD78 push FFFFFF8Bh; iretd	23_2_02A0DD7B
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 24_2_087218AA push ebp; iretd	24_2_087218B0
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Code function: 26_2_08AD4D86 push ss; retf	26_2_08AD4D87

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	File created: C:\Users\user\AppData\Local\EnhancementRadio.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	File created: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe			Jump to dropped file

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EnhancementRadio			Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EnhancementRadio			Jump to behavior

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.375325730.0000000002A31000.00000004.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.478067132.0000000002BA2000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Users\user\AppData\Local\EnhancementRadio.exe

Code function: 24_2_01094291 sgdt fword ptr [eax]

24_2_01094291

Source: C:\Users\user\AppData\Local\EnhancementRadio.exe

Code function: 24_2_01094508 smsw word ptr [eax+55011068h]

24_2_01094508

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Window / User API: threadDelayed 2772	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Window / User API: threadDelayed 517	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Window / User API: threadDelayed 9327	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Window / User API: threadDelayed 421	Jump to behavior

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe TID: 5336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe TID: 7132	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe TID: 7136	Thread sleep count: 517 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe TID: 7136	Thread sleep count: 9327 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\EnhancementRadio.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: EnhancementRadio.exe, 00000018.00000002.478067132.0000000002BA2000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Binary or memory string: 2cmE/Z35WJiUQh/ZWUm13BeLzq+2PNsSKHXlddu9ZSHgfSCbSOXjO/o8c/PYX2RfnVJv5ecE1bTJ+
Source: EnhancementRadio.exe, 00000018.00000002.478067132.0000000002BA2000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000003.371342233.0000000003C5E000.00000004.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.479441536.0000000003AC9000.00000004.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000003.471324933.0000000003DC8000.00000004.00000001.sdmp	Binary or memory string: e2cmE/Z35WJiUQh/ZWUm13BeLzq+2PNsSKHXlddu9ZSHgfSCbSOXjO/o8c/PYX2RfnVJv5ecE1bTJ+Zf
Source: EnhancementRadio.exe, 00000018.00000002.478067132.0000000002BA2000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Memory written: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Memory written: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Memory written: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Memory written: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Memory written: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Memory written: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe base: ACE008	Jump to behavior

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Process created: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Jump to behavior

Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.475723469.0000000001560000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.475849847.00000000014C0000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.476032487.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.475723469.0000000001560000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.475849847.00000000014C0000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.476032487.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.475723469.0000000001560000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.475849847.00000000014C0000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.476032487.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.475723469.0000000001560000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.475849847.00000000014C0000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.476032487.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Queries volume information: C:\Users\user\AppData\Local\EnhancementRadio.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Queries volume information: C:\Users\user\AppData\Local\EnhancementRadio.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\EnhancementRadio.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3b8fd20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3ab0f50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3a39930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.471689095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378760193.0000000003C07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378128189.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.375822190.0000000002B18000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3b8fd20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3ab0f50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3a39930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.471689095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378760193.0000000003C07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378128189.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.375822190.0000000002B18000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 7008, type: MEMORYSTR

Source: Yara match	File source: 00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 7008, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3b8fd20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3ab0f50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3a39930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.471689095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378760193.0000000003C07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378128189.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.375822190.0000000002B18000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3c07d60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3b8fd20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3ab0f50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3a39930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.3bb7d40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.471689095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378760193.0000000003C07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.378128189.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.375822190.0000000002B18000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 7008, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Process Injection212	Masquerading1	OS Credential Dumping	Security Software Discovery311	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion151	Security Account Manager	Virtualization/Sandbox Evasion151	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery113	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing12	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Timestomp1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	63%	Virustotal		Browse
ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	46%	Metadefender		Browse
ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\EnhancementRadio.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\EnhancementRadio.exe	46%	Metadefender		Browse
C:\Users\user\AppData\Local\EnhancementRadio.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	46%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
23.2.ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://yFwcGw.com	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false		high
http://www.tiro.com	EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false		high
http://yFwcGw.com	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false		high
http://www.fonts.com	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.380642858.0000000005980000.00000002.00000001.sdmp, EnhancementRadio.exe, 00000018.00000002.485180258.0000000005A00000.00000002.00000001.sdmp, EnhancementRadio.exe, 0000001A.00000002.485005111.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp, ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe, 00000017.00000002.471689095.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458887
Start date:	03.08.2021
Start time:	20:42:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/5@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 124 Number of non-executed functions: 11
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:44:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run EnhancementRadio "C:\Users\user\AppData\Local\EnhancementRadio.exe"
20:44:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run EnhancementRadio "C:\Users\user\AppData\Local\EnhancementRadio.exe"
20:44:51	API Interceptor	267x Sleep call for process: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\EnhancementRadio.exe Download File
Process:	C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	584704
Entropy (8bit):	6.428997462356413
Encrypted:	false
SSDEEP:	12288:jb4ltZl87PVptm3TE8cCbUCOF1gJ3ntYJZ1iDwfUR8K:jbytZmBAbu1S9YJZJc
MD5:	4EB106D21C787C7B4215721673E15B39
SHA1:	2600E6B0EA8E3D39D4001ED0F8A35A87FC716566
SHA-256:	9FCDD20C1848723A889FD4EBB88E52A2CB9FAE8EC9E8CFE70D8E9706EF3E8992
SHA-512:	69BF8422C1102C6EE99139CB80070E0955D6B192DE831A577AE308A2460D5A52E975C358CA275A5E0015293A98ABA341BD7249842C073A911D34168B1B864A69
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 46%, Browse Antivirus: ReversingLabs, Detection: 61%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..n...\|........... ........@.. .......................@............@.....................................K........x................... ....................................................... ............... ..H............text...4m... ...n.................. ..`.rsrc....x.......z...p..............@..@.reloc....... ......................@..B........................H....... 4..8,..........X`...,..........................................^.(....8.....(....8....r.(....8.....{....o....8........0..........8}.......E....x...8s....{....o....s....%..(....(....o....&8.......X..8.... ....(....8.....{....o....s....%..(....o....o....&8h......8V...8u...8........?z...8!..........s....s....%o....o....8\|...... ....~"...94...& ....8)...8....8-... ....(....8G......X..8........?M...8.......0..........8....(......o....(......o......8.....{....(.....o..

C:\Users\user\AppData\Local\EnhancementRadio.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe.log Download File
Process:	C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1119
Entropy (8bit):	5.356708753875314
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
MD5:	3197B1D4714B56F2A6AC9E83761739AE
SHA1:	3B38010F0DF51C1D4D2C020138202DABB686741D
SHA-256:	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
SHA-512:	58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe Download File
Process:	C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	584704
Entropy (8bit):	6.428997462356413
Encrypted:	false
SSDEEP:	12288:jb4ltZl87PVptm3TE8cCbUCOF1gJ3ntYJZ1iDwfUR8K:jbytZmBAbu1S9YJZJc
MD5:	4EB106D21C787C7B4215721673E15B39
SHA1:	2600E6B0EA8E3D39D4001ED0F8A35A87FC716566
SHA-256:	9FCDD20C1848723A889FD4EBB88E52A2CB9FAE8EC9E8CFE70D8E9706EF3E8992
SHA-512:	69BF8422C1102C6EE99139CB80070E0955D6B192DE831A577AE308A2460D5A52E975C358CA275A5E0015293A98ABA341BD7249842C073A911D34168B1B864A69
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 46%, Browse Antivirus: ReversingLabs, Detection: 61%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..n...\|........... ........@.. .......................@............@.....................................K........x................... ....................................................... ............... ..H............text...4m... ...n.................. ..`.rsrc....x.......z...p..............@..@.reloc....... ......................@..B........................H....... 4..8,..........X`...,..........................................^.(....8.....(....8....r.(....8.....{....o....8........0..........8}.......E....x...8s....{....o....s....%..(....(....o....&8.......X..8.... ....(....8.....{....o....s....%..(....o....o....&8h......8V...8u...8........?z...8!..........s....s....%o....o....8\|...... ....~"...94...& ....8)...8....8-... ....(....8G......X..8........?M...8.......0..........8....(......o....(......o......8.....{....(.....o..

C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.428997462356413
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
File size:	584704
MD5:	4eb106d21c787c7b4215721673e15b39
SHA1:	2600e6b0ea8e3d39d4001ed0f8a35a87fc716566
SHA256:	9fcdd20c1848723a889fd4ebb88e52a2cb9fae8ec9e8cfe70d8e9706ef3e8992
SHA512:	69bf8422c1102c6ee99139cb80070e0955d6b192de831a577ae308a2460d5a52e975c358ca275a5e0015293a98aba341bd7249842c073a911d34168b1b864a69
SSDEEP:	12288:jb4ltZl87PVptm3TE8cCbUCOF1gJ3ntYJZ1iDwfUR8K:jbytZmBAbu1S9YJZJc
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..n...\|........... ........@.. .......................@............@................................

File Icon


Icon Hash:	60d8c8c9c9e9c1c8

Static PE Info

General
Entrypoint:	0x488d2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xB5F6BF93 [Mon Sep 27 21:03:15 2066 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x88ce0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x78a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x86d34	0x86e00	False	0.70304716462	data	6.18965039171	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x78a4	0x7a00	False	0.887102971311	data	7.74086473521	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8a130	0x64a9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x905dc	0x14	data
RT_VERSION	0x905f0	0x56c	data
RT_MANIFEST	0x90b5c	0xd48	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	0.0.0.0
InternalName	own.exe
FileVersion	0.0.0.0
CompanyName	Raimersoft
LegalTrademarks
Comments	TapinRadio Setup
ProductName	TapinRadio
ProductVersion	0.0.0.0
FileDescription	TapinRadio Setup
OriginalFilename	own.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 5748 Parent PID: 5644

General

Start time:	20:43:22
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe'
Imagebase:	0x630000
File size:	584704 bytes
MD5 hash:	4EB106D21C787C7B4215721673E15B39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.378683076.0000000003B78000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.378760193.0000000003C07000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.378760193.0000000003C07000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.378128189.0000000003A31000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.378128189.0000000003A31000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.375822190.0000000002B18000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.375822190.0000000002B18000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 7008 Parent PID: 5748

General

Start time:	20:44:40
Start date:	03/08/2021
Path:	C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe
Imagebase:	0x7f0000
File size:	584704 bytes
MD5 hash:	4EB106D21C787C7B4215721673E15B39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.471689095.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.471689095.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.476536239.0000000002C11000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, Metadefender, Browse Detection: 61%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: EnhancementRadio.exe PID: 7104 Parent PID: 3388

General

Start time:	20:44:50
Start date:	03/08/2021
Path:	C:\Users\user\AppData\Local\EnhancementRadio.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\EnhancementRadio.exe'
Imagebase:	0x660000
File size:	584704 bytes
MD5 hash:	4EB106D21C787C7B4215721673E15B39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, Metadefender, Browse Detection: 61%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: EnhancementRadio.exe PID: 4308 Parent PID: 3388

General

Start time:	20:44:59
Start date:	03/08/2021
Path:	C:\Users\user\AppData\Local\EnhancementRadio.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\EnhancementRadio.exe'
Imagebase:	0x550000
File size:	584704 bytes
MD5 hash:	4EB106D21C787C7B4215721673E15B39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 5748 Parent PID: 5644 ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exeCOMMON

Executed Functions

Function 08BF868B, Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

0T3, xrefs: 08BF8771
pl!, xrefs: 08BF8869

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID:
String ID: pl!$0T3
API String ID: 0-991721684
Opcode ID: 8d0de2fe686f148dbdb9108cac8e9942bedccacae4f778f9e43633f064a85bab
Instruction ID: ce97f462fb4287121e7814d1217306ab401568cc0481339180461db6ec2b4f9f
Opcode Fuzzy Hash: 8d0de2fe686f148dbdb9108cac8e9942bedccacae4f778f9e43633f064a85bab
Instruction Fuzzy Hash: 3FA1B0B0B14248DFDB44EF68D8549AD7BB2FB85300F50853AE112AB3A8DB71AC46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08BF8630, Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

0T3, xrefs: 08BF8771
pl!, xrefs: 08BF8869

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID:
String ID: pl!$0T3
API String ID: 0-991721684
Opcode ID: 1c19c756293737cf51b6f83ba3a1d991c793813c61e902316d13cef1fe63736a
Instruction ID: 7919d9208523c62ace76dcf3ad9ac61f7a902207b654c4c189b8c47013b4d588
Opcode Fuzzy Hash: 1c19c756293737cf51b6f83ba3a1d991c793813c61e902316d13cef1fe63736a
Instruction Fuzzy Hash: 08A1B0B0B14248DFDB44EF68D8549AD7BB2FB85300F50856AE112AB3A8DB719D46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08BF8640, Relevance: 2.7, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

0T3, xrefs: 08BF8771
pl!, xrefs: 08BF8869

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID:
String ID: pl!$0T3
API String ID: 0-991721684
Opcode ID: b6c25530e053f9be951ed01f50bd65ea9b24944dd26f5b9e1e167bd4826b8ff4
Instruction ID: ae65dac45fd79f6ac3523b9ca71cbf43cf34db2e2c9cb2a7931e7678d4e02999
Opcode Fuzzy Hash: b6c25530e053f9be951ed01f50bd65ea9b24944dd26f5b9e1e167bd4826b8ff4
Instruction Fuzzy Hash: E6A191B0B14248DFDB44EF68D8549AD7BB2FB85300F50853AE116AB3A8DB71AD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08BF93E4, Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08BF9626

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5c7ad4ad01f4d567f116aeef9dbf1d1fcc9997000fddc593988811bcca68500e
Instruction ID: 0164a348a8bc469f25ee0f5287a250efaada7f3dbb5ed3128b02b07bcbc632e4
Opcode Fuzzy Hash: 5c7ad4ad01f4d567f116aeef9dbf1d1fcc9997000fddc593988811bcca68500e
Instruction Fuzzy Hash: 78A16C71D00219DFDB20DFA8C8807EEBBB2FF48315F1485A9E919A7250DB749989CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08BF93B0, Relevance: 1.7, APIs: 1, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fefcf905e44a1c6b3e914941f67ce4dafbf386e3de113581fef3f72a8dbee083
Instruction ID: b2bebef8ad8e9a6ce69123ca9f0522e9058c7649f83dcc8577dc6776c3e8673c
Opcode Fuzzy Hash: fefcf905e44a1c6b3e914941f67ce4dafbf386e3de113581fef3f72a8dbee083
Instruction Fuzzy Hash: F8917C71D00219DFDB20DFA8C8807EEBBB2FF48315F1485A9E909A7251DB749989CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08BF93F0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08BF9626

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 49c3d2fac2166bc3c1e7a824bd7b95fc0204e46b033fd57a99022025c97af270
Instruction ID: b111f307c8b5144994f9828bfec65878e65cf7e30ea9de912599ad67e94d5e1d
Opcode Fuzzy Hash: 49c3d2fac2166bc3c1e7a824bd7b95fc0204e46b033fd57a99022025c97af270
Instruction Fuzzy Hash: D7916C71D00219DFDB20DFA9C8807EEBBB2FF48315F1485A9E909A7250DB749989CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08BFA064, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 08BFA171

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: bd0e3ab8a1acd4656f1c73f9c4b97b38ed8b8fb1e2dc28f3622590a54699fb27
Instruction ID: a6f27d793079843c3bd1ec1fb2ac7efa6250769b496b5bd858262f6791428296
Opcode Fuzzy Hash: bd0e3ab8a1acd4656f1c73f9c4b97b38ed8b8fb1e2dc28f3622590a54699fb27
Instruction Fuzzy Hash: E1415470D002188FCB18CFA9C894BDEBBB1BF49319F15816DE819AB691C7749989CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08BFA070, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 08BFA171

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 320bec235b90d4991537bc7b40b83085ed7c743146fded8f67cecb5591a1c6fc
Instruction ID: f8ccc02d7c1875c592bb773b1670e2597ef72f01e467c7866cb8974d33858789
Opcode Fuzzy Hash: 320bec235b90d4991537bc7b40b83085ed7c743146fded8f67cecb5591a1c6fc
Instruction Fuzzy Hash: 04416570D002188FCB18CFA9C894BDEBBF1BF49318F15816DE819AB751D7749989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08BF8F8A, Relevance: 1.6, APIs: 1, Instructions: 81threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 08BF900E

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e2870705e7fbc82124c2c9552bef4442db99745c1e27f634d3f238c3ef234306
Instruction ID: 313cd9b838d4e63610c33a3f71db855da721ed66346ccec15937d5143b5551b5
Opcode Fuzzy Hash: e2870705e7fbc82124c2c9552bef4442db99745c1e27f634d3f238c3ef234306
Instruction Fuzzy Hash: C23189719043488FCB10DFA9C8807EEBBF4EF88254F14846AD559AB752CB389949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08BF91E0, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08BF9278

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7e9454ee83a3ec37361aaa4958c1c6e017ef0256e70f91e1c5433676bd15c43f
Instruction ID: d7d39e71cdfeab542d458eaad48748d2f628e2487a5e69da37b6ce1fa6ede26c
Opcode Fuzzy Hash: 7e9454ee83a3ec37361aaa4958c1c6e017ef0256e70f91e1c5433676bd15c43f
Instruction Fuzzy Hash: 932146B19002099FCB10CFA9C9847DEBBF5FF48314F00842AE918A7750D7789955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08BF6661, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 08BF6701

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 04773f9fbbdc752022b58fcc0615132ffbce016eadd3b73808b6c02ae36578fb
Instruction ID: 5dc3ee3ba74e8da86b21ce6485910015084cbed960c86eca1f8bff42da74bd15
Opcode Fuzzy Hash: 04773f9fbbdc752022b58fcc0615132ffbce016eadd3b73808b6c02ae36578fb
Instruction Fuzzy Hash: 8F215AB1D012199FCB10CFA9D8847EEFBF4EF48321F14806AE818AB241D7749A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08BF6668, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 08BF6701

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: f55302e9c841b07e818e32a6f0a764e67abcd368671f53302d7d61d506e4be20
Instruction ID: 53b3637aa19d9e1c975c5b3fb95c0e0a90f522e84c24fc737e293aa857650378
Opcode Fuzzy Hash: f55302e9c841b07e818e32a6f0a764e67abcd368671f53302d7d61d506e4be20
Instruction Fuzzy Hash: 2E213BB1D012199FCB10CFA9D9847EEFBF4EF48320F14816AE818AB241D7749A44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 08BF91E8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08BF9278

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9f080064604ccbfce967fabf74af6b66a6f29f0d783aa3c7fdfeff68fa1ea46c
Instruction ID: 364a0d28702f4ac5b8cac1735b686087a7f30c667a587b20249eda0442a71c50
Opcode Fuzzy Hash: 9f080064604ccbfce967fabf74af6b66a6f29f0d783aa3c7fdfeff68fa1ea46c
Instruction Fuzzy Hash: 312125719003499FCF10CFA9C884BEEBBF5FF48324F00842AE919A7641DB789954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08BF6741, Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 08BF6701

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: bcdce071e6049f2fccab1e099b35505cb7f21edce7e34f1aad38dfcbec5c5cc3
Instruction ID: e10d9cdde3a1d4434ea6fe107c081f0207a3a7fd1c2d9e142d1f6886d9c07188
Opcode Fuzzy Hash: bcdce071e6049f2fccab1e099b35505cb7f21edce7e34f1aad38dfcbec5c5cc3
Instruction Fuzzy Hash: 6721CFB4904204CFDB10DF68D4447DDBFF0EB66326F1481EADA54AB242CB368989DB65

Uniqueness

Uniqueness Score: -1.00%

Function 08BF9A31, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 08BF9ABB

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 3103d00daaa8732d63e9f48d4b8d9acadba759c152ce5a55510d0f3485a7106d
Instruction ID: 284ba5193adf2a35ba01e16a9dd1f38c648e59ff55ec7f4a508274d450a42f27
Opcode Fuzzy Hash: 3103d00daaa8732d63e9f48d4b8d9acadba759c152ce5a55510d0f3485a7106d
Instruction Fuzzy Hash: C52123B1E006199FCB00CF99D980BDEFBB4FB48311F00812AE518A7740D774A9548BA5

Uniqueness

Uniqueness Score: -1.00%

Function 08BF8F90, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 08BF900E

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e3da762b69984457bd924f76f50bcacbcee525dd1c916886ec4410401f4cb5f7
Instruction ID: 51cb084349bc2b59710c1dae57609435cae736d93643b7ef3d8e2e2efd525302
Opcode Fuzzy Hash: e3da762b69984457bd924f76f50bcacbcee525dd1c916886ec4410401f4cb5f7
Instruction Fuzzy Hash: AD213871D002098FCB10CFAAC4847EEBBF4EF88224F54842AD559A7640DB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08BF9A38, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 08BF9ABB

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: ccf0759045419ac50185af06e94e583844023e7992fcdf43e766aaa8fca4b2bb
Instruction ID: 13f9d7e978240538592614756147c4c6dbc1406db6823fcee631cb5b4a60848c
Opcode Fuzzy Hash: ccf0759045419ac50185af06e94e583844023e7992fcdf43e766aaa8fca4b2bb
Instruction Fuzzy Hash: D02115B1D016199FCB10CF99C885BDEFBF4FB48320F00812AE518A7740D774A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 08BFA679, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 08BFA6F8

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: cd8dfa854fd81cfcfe76c92dc9fdfa9579b85c874d9b00bc4e1a6bf00b63440c
Instruction ID: 45b9dbbb4026d5a7e0d6cb761837f9a5f701daad9e7196c10fcffc68cf1bfc10
Opcode Fuzzy Hash: cd8dfa854fd81cfcfe76c92dc9fdfa9579b85c874d9b00bc4e1a6bf00b63440c
Instruction Fuzzy Hash: E9214971E002198FDB14CFA9C844BEEBBF5EF98314F14842AE419A7650DB78A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 08BFA680, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 08BFA6F8

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 4c5c70822e09a417bb0b0fa8b7b22474e9125fcb572f469bf468d01dd6b2dcc0
Instruction ID: 7b3b2cdf1a339fdde944c3c4c45e6a9c0868fe39ac2266d14388e91ce6710c3e
Opcode Fuzzy Hash: 4c5c70822e09a417bb0b0fa8b7b22474e9125fcb572f469bf468d01dd6b2dcc0
Instruction Fuzzy Hash: A9214771D002198FDB14CFAAC844BEEFBF5EF88324F04842AE419A7650DB74A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08BF9F31, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 08BF9FAB

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 5ab4bf78dad3f469d66c5dcce4885abfcd3abac34391322e9a4279b53b3c887e
Instruction ID: 05b8419b173bb90dccb909919a8b697c420a6b46a6c25e68db8e1ee658ee8353
Opcode Fuzzy Hash: 5ab4bf78dad3f469d66c5dcce4885abfcd3abac34391322e9a4279b53b3c887e
Instruction Fuzzy Hash: 7B2138B1D002098FCB10CF99C584BDEBBF4EF48321F158429E568A7700D778AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08BF9F38, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 08BF9FAB

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: c02386907e8857bde5364b3678591155484e1c37796d2f08e97b4e90778c5fe7
Instruction ID: 4e3f8997f9ac31b785cedd917519f4360d80591b4c63f0ed4de5620f23267876
Opcode Fuzzy Hash: c02386907e8857bde5364b3678591155484e1c37796d2f08e97b4e90778c5fe7
Instruction Fuzzy Hash: A421D6B5D002099FCB10CF9AC484BDEBBF4EF88324F158429E568A7640D779AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08BF90F2, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08BF9166

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aab4d23a66115d06ce2315e86acc06bc4650812ea71431f8a0494c2719860fe5
Instruction ID: 73e9635a5a01d8b2acb8b4603a3c495418f86d5c6a41a0f83f7d5b7f64062429
Opcode Fuzzy Hash: aab4d23a66115d06ce2315e86acc06bc4650812ea71431f8a0494c2719860fe5
Instruction Fuzzy Hash: CF1126B29002499FCF10DFA9C8447DFBFF5AF88324F14882AE515A7650CB759A54CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08BF90F8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08BF9166

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f4dac9bcee48170d82d82a11d1422b3e6a4d9dcd103e3a8456b5dcd5c9ad22b5
Instruction ID: 51cbbf3ee44d949ae82aad38df15fcc5ee62fb506b9059a8903251e3ab6c5668
Opcode Fuzzy Hash: f4dac9bcee48170d82d82a11d1422b3e6a4d9dcd103e3a8456b5dcd5c9ad22b5
Instruction Fuzzy Hash: 7C1126719002499FCB10DFA9C8447DFBFF5AF88324F148829E515A7650CB759954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 053FDFA0, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ed419dbbafb2e1b6084309eb4e6804ea10fece94496a7adaf68e451139d6eb
Instruction ID: 014e9eaadc2f90593448375d12bbda7aee1b049864ee2f9fdaed3dbfc077bd92
Opcode Fuzzy Hash: b2ed419dbbafb2e1b6084309eb4e6804ea10fece94496a7adaf68e451139d6eb
Instruction Fuzzy Hash: 3671E4707042009FC714EF29D881A6AB7E6FF89314B1585AAE509CF7A5DF31EC06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08D44088, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383356272.0000000008D40000.00000040.00000001.sdmp, Offset: 08D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b3f68f9051d537a9b4c45c8852b1fa52cc0cfe9b7cd76ced1c8cca181cf55c
Instruction ID: b764fafa4d4e82983d90cbe30a657c3b172e31229c1b046eeec1381b438d476a
Opcode Fuzzy Hash: b9b3f68f9051d537a9b4c45c8852b1fa52cc0cfe9b7cd76ced1c8cca181cf55c
Instruction Fuzzy Hash: 77518E74B05214CFDB60CF24E8597AD7BB6AF45341F0049A9E54AAB381CF718EC18F09

Uniqueness

Uniqueness Score: -1.00%

Function 053FDF90, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106caed1a46fd07924aa57077892f6f49bca9af3048a3d865a9af14b037cb5f5
Instruction ID: 2036f8393cb8b237764ff2b67f486329c7d3881197b5b80ff842f715dec0c83c
Opcode Fuzzy Hash: 106caed1a46fd07924aa57077892f6f49bca9af3048a3d865a9af14b037cb5f5
Instruction Fuzzy Hash: 63418A70600600CFCB54EF29E88496ABBF6FF8931475185AAE519DF366DB31EC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.374063788.0000000000BAD000.00000040.00000001.sdmp, Offset: 00BAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da9d1679b01f71dbf19dc4589e193a7138a6c216a7202163e07375a3f08d87c
Instruction ID: 2eded1e54178519937af25af0571632a99a45b208b8cd54d28c7874d4de04a2a
Opcode Fuzzy Hash: 4da9d1679b01f71dbf19dc4589e193a7138a6c216a7202163e07375a3f08d87c
Instruction Fuzzy Hash: 00212871908200DFDB05CF14D9C4B1ABBA5FBA9328F2485A9D8064B756C336D846DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.374063788.0000000000BAD000.00000040.00000001.sdmp, Offset: 00BAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: e453dce78cc9e835ce4e7dfa207878066d25c34438101eab776121cea5b980aa
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: F911D676904240CFCB11CF14D5C4B16BFB1FB95324F2486A9D8050B656C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 053FE1E0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b587423239793abb6a938ac770a89a6337ea8542f3e53c66cc27d26078efde20
Instruction ID: 4550a9bd844e5e88cf9a17a3e9ea847c01953e0ba0e3fe77dbf8c2d21c19dce0
Opcode Fuzzy Hash: b587423239793abb6a938ac770a89a6337ea8542f3e53c66cc27d26078efde20
Instruction Fuzzy Hash: 70E0122130421C17E718656A5856B6BA5CEDBC6A54F15857EA50EDB781CC65CC0202E1

Uniqueness

Uniqueness Score: -1.00%

Function 053FE560, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Uniqueness

Uniqueness Score: -1.00%

Function 08D42CA7, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383356272.0000000008D40000.00000040.00000001.sdmp, Offset: 08D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9de8cb66fed749e836d55b63559eebc0d5d496476f24ca15cf19506e17a4db4
Instruction ID: f0238b3518ee2399716ec141cdc7e4f1afa90d37f6916f2fc2f5d2dc1018d114
Opcode Fuzzy Hash: e9de8cb66fed749e836d55b63559eebc0d5d496476f24ca15cf19506e17a4db4
Instruction Fuzzy Hash: 1AD0CA30904169CBCB61CA08C889BDEBB36FB48385F008991E00AA2240CA70AE82CF00

Uniqueness

Uniqueness Score: -1.00%

Function 053FE559, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a31895e8467c4dcde68c49db7c1b7f965f714f7e8c8f2a3a92b88b18dfe3b73
Instruction ID: 46ddb7f58e844c51fb1c9956fb908abd09d979c6bb7b1aac2fde9945682752d2
Opcode Fuzzy Hash: 1a31895e8467c4dcde68c49db7c1b7f965f714f7e8c8f2a3a92b88b18dfe3b73
Instruction Fuzzy Hash: 03C08CB60040885BC300CBA4D6A2596BF116E9226CB4A408EC84A0B003C3264222EB15

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 053F1CDC, Relevance: 2.0, Strings: 1, Instructions: 749COMMON

Download Yara Rule

Strings

(, xrefs: 053F68D1

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: a231fc2dfb15805ccf28be35504a41e82a83dc4ee53bfbad2692b7462fcb3ad7
Instruction ID: ef784a096a9d1e4748c7f0b8299c2dca8b3c7fa8569144a29d636fe4b84304b1
Opcode Fuzzy Hash: a231fc2dfb15805ccf28be35504a41e82a83dc4ee53bfbad2692b7462fcb3ad7
Instruction Fuzzy Hash: F0625E30A002198FCB64DF24C895BEAB7B2FF48304F1485E9D55A9B395DB74AE86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 053F1D0C, Relevance: .9, Instructions: 871COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6bab6e0118f78f859f0c56c42ffb0ef0153c2a99b66b40bf3aeae47ae7833b
Instruction ID: dd2b0caa940375b4b52f060c350c33ba4892458383c3e4f16cdee99c87f6a5e4
Opcode Fuzzy Hash: 4a6bab6e0118f78f859f0c56c42ffb0ef0153c2a99b66b40bf3aeae47ae7833b
Instruction Fuzzy Hash: 52822C30A00215CFDB24DB68C894BAEB7B2FF85304F1585E9D54AAB7A1DB70AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 053F3A80, Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c420695d3b3d67474baee746b0ff4b1fad91511b8698061e3cc3dfd9c0809f
Instruction ID: 199a6a60c8655ca51809db67489478a37d19892baaffa50c9e05d7b7c989d2b7
Opcode Fuzzy Hash: 33c420695d3b3d67474baee746b0ff4b1fad91511b8698061e3cc3dfd9c0809f
Instruction Fuzzy Hash: 6DE1AE31B10604DFDB15DB68C498BAEBBF7FF85300F148969E1569B2A0DFB4A845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 053F3A70, Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcbb74a36724f4407813f803a92c692d3582a7a56ccd23e71d29c90b734ac18
Instruction ID: 2ae9dbbe8aaab9ca34ad03d5034b905e6ec4bd84aa2f17600d45a1279a7327a1
Opcode Fuzzy Hash: 5dcbb74a36724f4407813f803a92c692d3582a7a56ccd23e71d29c90b734ac18
Instruction Fuzzy Hash: 73D1AF31B10604DFEB15DB64C498BEEBBF2FF85300F148969E1569B2A0DBB4A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053F2580, Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b551a3a69767748b8b370b1d9030fffa6484191eaf321950b8762356cc87a356
Instruction ID: 1ed4ef2d39048cd481b9ea86645c95d69aed03f04b7cc533d281528e95feb7c6
Opcode Fuzzy Hash: b551a3a69767748b8b370b1d9030fffa6484191eaf321950b8762356cc87a356
Instruction Fuzzy Hash: D2C15E34704600CFDB24DB28D884BBEB7E7BB89710F14856AE15ADB395CBB4E841CB55

Uniqueness

Uniqueness Score: -1.00%

Function 08BF5560, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d0724d94f13b5799a2b6d53a7893324b8ada950b2dfb38b2f4466fab46d9b0
Instruction ID: 4bbff3bdafa3d69777e3c4cda4c5a7efff659af1cbcd1992adf41a4572aa4e89
Opcode Fuzzy Hash: b2d0724d94f13b5799a2b6d53a7893324b8ada950b2dfb38b2f4466fab46d9b0
Instruction Fuzzy Hash: AFA14971E046299FCB25CB98C8806ADFBF1FF88306F1486A9D565E7206D730AD46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 08BF5552, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383279979.0000000008BF0000.00000040.00000001.sdmp, Offset: 08BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb7277c5c39b4b2f370ee61b0b77ecc7e7b204045d6bb38ee7c3a2239659279
Instruction ID: 7037b712790cbdc3a7538a2021912de954df0ecffb2e5aee69cc9887ce942098
Opcode Fuzzy Hash: afb7277c5c39b4b2f370ee61b0b77ecc7e7b204045d6bb38ee7c3a2239659279
Instruction Fuzzy Hash: F5713B71E0462ADFCF24CBA9C8806ADFBF1FF48305F148669D565E7206D734A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 053FB078, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa8db81dfb45a26e3d7b524e4a3983b4ce5d368e7c1a2c2cb134c3a4a8e59d3
Instruction ID: c71c8271e27e34353e47ad4a33b86f2a0bf5f0b78ef94980eda8251ddbb5096c
Opcode Fuzzy Hash: baa8db81dfb45a26e3d7b524e4a3983b4ce5d368e7c1a2c2cb134c3a4a8e59d3
Instruction Fuzzy Hash: EE614AB0A14604CFD748EF6AE85568ABFF3EFD9304F04C469E1059B2A9EF714946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 053FB088, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380541453.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ff2d787da6ba26d038224d774156e7de814c6bc3a5c444fa92d9ed86839db9
Instruction ID: 5d077f127e4bc69847c311011f53781d5ead77e27c7019db5a86d6b35e65394d
Opcode Fuzzy Hash: 93ff2d787da6ba26d038224d774156e7de814c6bc3a5c444fa92d9ed86839db9
Instruction Fuzzy Hash: EF614BB0A14604CFD748EF6AE85568ABFF3EFC9304F04C469E1059B269EF715946CB90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 7008 Parent PID: 5748 ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exeCOMMON

Executed Functions

Function 02A0693F, Relevance: 6.1, APIs: 4, Instructions: 146threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02A069E0
GetCurrentThread.KERNEL32 ref: 02A06A1D
GetCurrentProcess.KERNEL32 ref: 02A06A5A
GetCurrentThreadId.KERNEL32 ref: 02A06AB3

Memory Dump Source

Source File: 00000017.00000002.476101726.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 259cef65e08902ef0aa5faea923d0d96e587f5f8cadde55e776aa3331db5ddf8
Instruction ID: 7652be1f628e80d1179861e5e710de433c8a4da067a283f3fa15d6a0e23db9e0
Opcode Fuzzy Hash: 259cef65e08902ef0aa5faea923d0d96e587f5f8cadde55e776aa3331db5ddf8
Instruction Fuzzy Hash: 9A5187B0D042458FDB04CFA9E9897DEBBF0FF59308F14849AE049A7690DB349885CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02A06980, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02A069E0
GetCurrentThread.KERNEL32 ref: 02A06A1D
GetCurrentProcess.KERNEL32 ref: 02A06A5A
GetCurrentThreadId.KERNEL32 ref: 02A06AB3

Memory Dump Source

Source File: 00000017.00000002.476101726.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 920a7d91be7a93ac78d47ddcb39759580cd9cd594a6f8ffe0453f1c680a774b7
Instruction ID: e97b23b522a34025d478ed4257dd328fa015101d2721f8b475a49fee9a492b13
Opcode Fuzzy Hash: 920a7d91be7a93ac78d47ddcb39759580cd9cd594a6f8ffe0453f1c680a774b7
Instruction Fuzzy Hash: 475144B0E006498FDB14CFAAE5887DEBBF4BF88318F248459E019A7790DB745884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02A050C6, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A051E2

Memory Dump Source

Source File: 00000017.00000002.476101726.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7799879e6da5e7f9108f4133763a4209f0e5158ace095f9262bc532b3fb55089
Instruction ID: 7b9470a72ccf68b88e8d5f219a716073b7e13e0c238f9b5198129c1b155b3dfc
Opcode Fuzzy Hash: 7799879e6da5e7f9108f4133763a4209f0e5158ace095f9262bc532b3fb55089
Instruction Fuzzy Hash: 5151CEB1D00349DFDB14CFA9D984ADEBBB1BF48314F64812AE819AB250DB749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A050D0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A051E2

Memory Dump Source

Source File: 00000017.00000002.476101726.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1b2f43a41fec34fcad5588fdb059559a91b0fea14baf293880fa7de01bd1004d
Instruction ID: d7606c3ac59f1b5aef287fc3c2cb7e835742218776b53b6d6c32c9cca672b24e
Opcode Fuzzy Hash: 1b2f43a41fec34fcad5588fdb059559a91b0fea14baf293880fa7de01bd1004d
Instruction Fuzzy Hash: 3E41B1B1D103099FDB14CF99D884ADEBBB5BF48314F64812AE819AB250DB749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A077C0, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02A07F49

Memory Dump Source

Source File: 00000017.00000002.476101726.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7377c360cc69cd5d3542a317a7e0408b9aeafd469d51eb074acafe553fa6a9aa
Instruction ID: 0c40fbe5121bc53348837728ddebea1cd7490fe50463081068fe263df747327b
Opcode Fuzzy Hash: 7377c360cc69cd5d3542a317a7e0408b9aeafd469d51eb074acafe553fa6a9aa
Instruction Fuzzy Hash: D84129B5A00205CFDB14CF59D888AAAFBF5FF88314F148499E519AB361CB74A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A0C1C9, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02A0C252

Memory Dump Source

Source File: 00000017.00000002.476101726.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 81bcc408191d9556336b20afd31008dd984ace165fd62afea3f08b9666521c96
Instruction ID: 0a76d5b7524989afd6a496a9792e81420873f7470e7775092d012bbeb6fdd018
Opcode Fuzzy Hash: 81bcc408191d9556336b20afd31008dd984ace165fd62afea3f08b9666521c96
Instruction Fuzzy Hash: 9B3108B08053858FE710EFA9E58939EBFF0FB0A314F14855AD049A7685CB785905CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A06BA2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A06C2F

Memory Dump Source

Source File: 00000017.00000002.476101726.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 23fd824e59ae41558fc0120b2340a2ba25d8224cc1a492bd99b549936ad9cbb5
Instruction ID: f49ad334aa60be9dacb622daa9d645609e158edb6672b34baa0730cbf34bf4a2
Opcode Fuzzy Hash: 23fd824e59ae41558fc0120b2340a2ba25d8224cc1a492bd99b549936ad9cbb5
Instruction Fuzzy Hash: 152112B5D002099FDB10CFA9D484AEEBBF4EB48324F14802AE814A7310C774A954CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02A06BA8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A06C2F

Memory Dump Source

Source File: 00000017.00000002.476101726.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dd1df0f7eecf25b3c61463bffb54189d605801940a880a937b1027b4114e9463
Instruction ID: 5ea3bcdbd1e9b3b22f2bcadb9aee63daca5880514837a96c315c8d83457bad45
Opcode Fuzzy Hash: dd1df0f7eecf25b3c61463bffb54189d605801940a880a937b1027b4114e9463
Instruction Fuzzy Hash: D721D3B5D002099FDB10CFAAD984ADEBBF8FB48324F14841AE914B7350D774A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A0C1D8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02A0C252

Memory Dump Source

Source File: 00000017.00000002.476101726.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: e53f49248da2f81cdd7324ea97b258c181f38cb4e2bafb10ba5ddfd65209d504
Instruction ID: 4dd51917f19900f63ba755e044bc9573aa0ea6e540b9d9c604efc829a0799589
Opcode Fuzzy Hash: e53f49248da2f81cdd7324ea97b258c181f38cb4e2bafb10ba5ddfd65209d504
Instruction Fuzzy Hash: DE11AFB1D003058FDB10EFA9E5487DEBBF4FB49724F10812AD409A7A44DB789944CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: EnhancementRadio.exe PID: 7104 Parent PID: 3388 EnhancementRadio.exeCOMMON

Executed Functions

Function 01096E51, Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01096EC0
GetCurrentThread.KERNEL32 ref: 01096EFD
GetCurrentProcess.KERNEL32 ref: 01096F3A
GetCurrentThreadId.KERNEL32 ref: 01096F93

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cd1107b02944627a7a2c78369e83130b89edbea72fe682c5eb1c2c8920c118db
Instruction ID: a8457cbd234065b0f9f457b48fb39899ed9965f3b599996ecacdb624b40c3178
Opcode Fuzzy Hash: cd1107b02944627a7a2c78369e83130b89edbea72fe682c5eb1c2c8920c118db
Instruction Fuzzy Hash: 475164B0D046498FDB18CFA9C6487DEBBF0BF48304F248059E059A7760D7755844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 01096E60, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01096EC0
GetCurrentThread.KERNEL32 ref: 01096EFD
GetCurrentProcess.KERNEL32 ref: 01096F3A
GetCurrentThreadId.KERNEL32 ref: 01096F93

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 25505ca8bce80b579d1e69ac0f22990e437462f17f5fb040bd4cd3c3285c5fa4
Instruction ID: 46c1a734c5aed165bc201ed0e59bd1084016eb8b9925b8b1f1bf1e2334fa34f2
Opcode Fuzzy Hash: 25505ca8bce80b579d1e69ac0f22990e437462f17f5fb040bd4cd3c3285c5fa4
Instruction Fuzzy Hash: 695164B0D04649CFDB18CFAAC548BDEBBF0AF88314F208459E019A7790D7755884CF66

Uniqueness

Uniqueness Score: -1.00%

Function 010953DC, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01095499

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ebc94208597f80490f3a6ace211827ee97d5fcfad26b4d172375410b6109e29c
Instruction ID: 2e0b603c587807f7352f24ac1853463d98689ffff7d84003a87caf3f23103b89
Opcode Fuzzy Hash: ebc94208597f80490f3a6ace211827ee97d5fcfad26b4d172375410b6109e29c
Instruction Fuzzy Hash: F141F371D0461DCFDB25CFAAC8847CEBBB5BF48308F20806AD409AB251DBB55945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01093EDC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01095499

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3cbf937589b81efd7730063e787d5463cdf07c09ed8a650034d4d54f88deedd8
Instruction ID: 3fb7036acdf524bc155c8d8e07f81ae240746588af5f64ed6bbc00c817ef9d50
Opcode Fuzzy Hash: 3cbf937589b81efd7730063e787d5463cdf07c09ed8a650034d4d54f88deedd8
Instruction Fuzzy Hash: 7741E271D0461CCFDB25DFAAC894BCEBBB5BF48308F20806AD449AB251DBB55949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0109748B, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01097517

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 07ce898c68c633787198152c7c9d6678fc453a736c47b32c0d337c6e2e480807
Instruction ID: 4f6d5b5d6590fde041d150f99cd50c21a5ff488700ba82882a61f9c0ef4cc52d
Opcode Fuzzy Hash: 07ce898c68c633787198152c7c9d6678fc453a736c47b32c0d337c6e2e480807
Instruction Fuzzy Hash: 0D21E0B5D002499FDB50CFAAD884AEEBBF4FB48324F14841AE914A7310D374AA54CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01097490, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01097517

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5b6dfb1a542d56985ced29650f1557c8b0c7bba1b85381e39f4774d8e1c4b16d
Instruction ID: 1d6a0ed72b74c12ebc6cd47d40f8706e88cc5301c9c0d84984326ab61f88aced
Opcode Fuzzy Hash: 5b6dfb1a542d56985ced29650f1557c8b0c7bba1b85381e39f4774d8e1c4b16d
Instruction Fuzzy Hash: 1121C2B5D002499FDB10CFAAD884ADEBBF8FB48324F14841AE954A7310D774A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0109A749, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0109A5A9,00000800,00000000,00000000), ref: 0109A7BA

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f28c2fdad892a34fb4d0a877a00239cae874948736de247e65cd4affbfbce686
Instruction ID: db03f569eafe819bdf2c26ba4acb1d9bdbe889f63b40b4525749af7ba9fe2294
Opcode Fuzzy Hash: f28c2fdad892a34fb4d0a877a00239cae874948736de247e65cd4affbfbce686
Instruction Fuzzy Hash: B61103B69002098FDB10CFAAD844ADEFBF4EB88324F14842AD955A7600C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08877CA8, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08877D1C

Memory Dump Source

Source File: 00000018.00000002.500218148.0000000008870000.00000040.00000001.sdmp, Offset: 08870000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c4ed37131c4347a862480f9f7e71dd0f08a10f377d3a300bd4e248107e8fec96
Instruction ID: e9fced67c6ddb60523b97bb23468e57a6e208f4515721a970d42e676dc6b7851
Opcode Fuzzy Hash: c4ed37131c4347a862480f9f7e71dd0f08a10f377d3a300bd4e248107e8fec96
Instruction Fuzzy Hash: A2112471D002088FCB10DFAAC884BEEFBF4EF48324F14882AD419A7600CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01099638, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0109A5A9,00000800,00000000,00000000), ref: 0109A7BA

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8a66fb1c13229644dc304099e1cd0d596e6f87f3a639d0eab3ff0944b957692c
Instruction ID: 9c7cdad009eed578edbea48f0f3bfb77afe82d0e60812ca769e494c8c11428df
Opcode Fuzzy Hash: 8a66fb1c13229644dc304099e1cd0d596e6f87f3a639d0eab3ff0944b957692c
Instruction Fuzzy Hash: D611F4B5D00209CFDB14CF9AC844ADEFBF4EB48320F04842AE556A7600C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08877E78, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 08877EDA

Memory Dump Source

Source File: 00000018.00000002.500218148.0000000008870000.00000040.00000001.sdmp, Offset: 08870000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 53b57bbba7f7aa219bf5eca40710a6a8d57832705273086fccae82d4bd54aed0
Instruction ID: 8f9db8dc343971a1de76b72d77b005449cb1482d9645f8386b2e738e6845449f
Opcode Fuzzy Hash: 53b57bbba7f7aa219bf5eca40710a6a8d57832705273086fccae82d4bd54aed0
Instruction Fuzzy Hash: 8A112571D002498FCB10DFAAC8447EFFBF9AB88324F14882AD519A7640CB75A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0109A4C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0109A52E

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4f8c3295eec45133679726201174dbe27ad9634101632d2c5e37fc1a6e7ecac0
Instruction ID: 634f6db00a0207ec1c7ca4564f12ac1e76c20efda97e3a3b7abe78cea3253662
Opcode Fuzzy Hash: 4f8c3295eec45133679726201174dbe27ad9634101632d2c5e37fc1a6e7ecac0
Instruction Fuzzy Hash: 71110FB2E002098FDB10CF9AD444BDEFBF4EB88324F10841AD859A7600D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0109A4C3, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0109A52E

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a37ca965d76509ad1d24e9255a826215b25f9a98e11903368ae561600ca4574c
Instruction ID: 89c38a732edf8487ba4d86f9b5b89a9bc8c3e69be5c4104b48ea51adfe552d4a
Opcode Fuzzy Hash: a37ca965d76509ad1d24e9255a826215b25f9a98e11903368ae561600ca4574c
Instruction Fuzzy Hash: CA11F0B1E002098FDB10CF9AD444BEEFBF4AB88324F10852AD459A7610C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08725940, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9171b7b71ea5041cc506963de89f2288119cfdf19619702de7a8f001b4824969
Instruction ID: fb19327ff005270883a3bb1804c378e34c7e3b12060d37b189dbd5ab12c6e605
Opcode Fuzzy Hash: 9171b7b71ea5041cc506963de89f2288119cfdf19619702de7a8f001b4824969
Instruction Fuzzy Hash: 0541D430A14224DFCB54DF68E4897AEBBF2FF48316F108469E45297398DB749C42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 087258D0, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c197c078ff7fb272adab8c7b9034044d34589018d198651ec9819a9b99c05846
Instruction ID: 136acc7ad3ebad3c5a1deb71fc7cc4d11a2b929e35793d012699c7905b3ad41f
Opcode Fuzzy Hash: c197c078ff7fb272adab8c7b9034044d34589018d198651ec9819a9b99c05846
Instruction Fuzzy Hash: A341F830A14214DFCB54DF68E0857ADBBB1FF44316F1085AAE442DB299CB319D42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08725930, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4ff350c639d89bd1d00d9a3881103bdaacf1d0bc884780939368843c3dcd7a
Instruction ID: 61280411327177005fb2609c1b62753629095b3b648872bd6a347db387d2e06f
Opcode Fuzzy Hash: 5c4ff350c639d89bd1d00d9a3881103bdaacf1d0bc884780939368843c3dcd7a
Instruction Fuzzy Hash: 6641FA30A14214DFDB94DF64E4897AEBBB2FF44312F108469E452A7698DB745C42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.475048196.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9d8235256ceec3413cebbce64c1d0ba38a855e86a3497c696fa4ec7fb67f60
Instruction ID: e10e73039ef985c7b28a44605bd0a1520499c9ea110a5d82d5de3329db66df80
Opcode Fuzzy Hash: 9b9d8235256ceec3413cebbce64c1d0ba38a855e86a3497c696fa4ec7fb67f60
Instruction Fuzzy Hash: 2C2125B2904200DFDB15CF14D9C0B9ABB65FB98328F288569E8054B246D336D846EFA3

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD3EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.475048196.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8250025c04b4cef9698a031f72eb44927145f8c7d9af7ac8d47a39135a02dc5a
Instruction ID: 5a65f777b36f5f85cb48719e75e8d20687121b34e761cf21acfd2e6194a77758
Opcode Fuzzy Hash: 8250025c04b4cef9698a031f72eb44927145f8c7d9af7ac8d47a39135a02dc5a
Instruction Fuzzy Hash: C72128B2904200DFDB05DF15D9C0BA7BB65FB94324F24C569D9090B646D336E846EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.475093160.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab33c85da6e4776892dfe63075640456e2ab4e39d50bdb1e63fef4e828524c92
Instruction ID: cece503370238767dcb7a8d7c093b975e5aef12c26f16bd299504222f20dd42c
Opcode Fuzzy Hash: ab33c85da6e4776892dfe63075640456e2ab4e39d50bdb1e63fef4e828524c92
Instruction Fuzzy Hash: D721F171944200DFDB14CF18D6C5F1ABB65FB84324F20C97DD80A4B24AC336D846EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.475093160.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f1fb48e21ed790771a8446ce8b8a896a07309ead441f25f27faf52b4ce5150
Instruction ID: 9707cfdd882a66d618c1f9d18f2ebadfe87746183f36a135604e00a1845264d0
Opcode Fuzzy Hash: 71f1fb48e21ed790771a8446ce8b8a896a07309ead441f25f27faf52b4ce5150
Instruction Fuzzy Hash: FF2137B1904201EFDB05CF14DAC1F6ABB65FB84324F24C97DD8094B341C336D846EA61

Uniqueness

Uniqueness Score: -1.00%

Function 08AA05CB, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500246740.0000000008AA0000.00000040.00000001.sdmp, Offset: 08AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a9f3844f12dcc9a3c994e41c247a4394172a95da88205e27d3e8f1d9385b9a
Instruction ID: 966f78456a2185d9afb491d10dca5f2ba10146a1c8e5f36b9d707ae3949e8354
Opcode Fuzzy Hash: a4a9f3844f12dcc9a3c994e41c247a4394172a95da88205e27d3e8f1d9385b9a
Instruction Fuzzy Hash: 5B21BD30A04658CFC710DF68C888AAEBBF5EF48306F0441E8E54A9BB66CB388D01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.475093160.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a68f0ae2667dda54d9c6d50a26379b292870694f606d92de9e4e258989a6ee
Instruction ID: a30944d63e8aa57de9eea3c076f64aac8476f2427e5d551ffa43e806c304b9cf
Opcode Fuzzy Hash: c3a68f0ae2667dda54d9c6d50a26379b292870694f606d92de9e4e258989a6ee
Instruction Fuzzy Hash: D8217F755493808FCB02CF24D994B15BF71EB46224F28C5EED8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.475048196.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: 9121d590d80c2bc462333ffbef09ef8af19109d5174f630ea896fa1d31a5fef8
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: 3411D376804280CFCB16CF14D5C4B56BF71FB94324F2886A9D8050B656C33AD85ADFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD3E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.475048196.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: 9bf46298941ecafce80dd6325312d00c91df22ae4e4305855cf4a2adaf939018
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: 9811D676804240DFCB05CF10D5C4B56BF71FB94324F24C5A9D8080B656C33AD45ADFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.475093160.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction ID: 7e6146c58940ebb98d0d3d24a4f5b339b2d84a9e0aef27efecc6c87fb1d7a4cb
Opcode Fuzzy Hash: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction Fuzzy Hash: 18118E75904280DFCB15CF14DAC4B59BB61FB84324F24C6AED8494B656C33AD84ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 08AA05F3, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500246740.0000000008AA0000.00000040.00000001.sdmp, Offset: 08AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cc98a9cc5f909fef0b34421453470a30b8c88bc6d7eedead1950a96de68e19
Instruction ID: 0f075d572566053d759bbf3f3f4ddca40cd36bc950fda8e27be283ed757fa1f2
Opcode Fuzzy Hash: c3cc98a9cc5f909fef0b34421453470a30b8c88bc6d7eedead1950a96de68e19
Instruction Fuzzy Hash: 3621F478A00618CFC720DF68C984A9ABBF1FF48316F159099E809AB355CB34ED41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 08722F5C, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c60c8d286c7411a858a73b48bfd0f4fce5fc8ddc61640833a93e909ed86dd4
Instruction ID: c916c537f1a7bcf2c880da572eb01fc80c395b9e3eb44576e2f0f747f1d948ba
Opcode Fuzzy Hash: 90c60c8d286c7411a858a73b48bfd0f4fce5fc8ddc61640833a93e909ed86dd4
Instruction Fuzzy Hash: AC014C75E10221CFEB08EF65C9442ADB7B1BF48342B448069D907A775AEB30ED02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 087230D0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9c1d9b1460e6b05ebdc9ca41883fe34e6fc5765f52b0c3a8da0caa5782eb54
Instruction ID: 7114d860915bbebc480d8694667370e41edb0b0f3e6524d6d48c40a7683d4e51
Opcode Fuzzy Hash: fa9c1d9b1460e6b05ebdc9ca41883fe34e6fc5765f52b0c3a8da0caa5782eb54
Instruction Fuzzy Hash: 36016276D10125CBEB049B50C9442ADF7B1FF44312F09806DC916E774AEB34ED03CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 08722AAA, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea396c9b54c181b24d8b97972290c114ccbd2e600a7f396fb4a872ff818a627
Instruction ID: 8c167cde535d2395ce5d731d47793e27c26b99795f566b3b39b91fa2e548fbe1
Opcode Fuzzy Hash: dea396c9b54c181b24d8b97972290c114ccbd2e600a7f396fb4a872ff818a627
Instruction Fuzzy Hash: 2A01F635D24225CBEB14DB91C94429DFBB1BF44302F05806DC90AA764ADB34ED038AA1

Uniqueness

Uniqueness Score: -1.00%

Function 08724F10, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af6f5eee7e688bebe3065e155bce07d831be3e352d02af12d14f9a3ba365c83
Instruction ID: f5fdb268b4a25a9ee536f7898eb1a86d7b4cbf7fec598372512a110de8c4e600
Opcode Fuzzy Hash: 3af6f5eee7e688bebe3065e155bce07d831be3e352d02af12d14f9a3ba365c83
Instruction Fuzzy Hash: 11F0B43560A34CAFC711DBB8C95085ABFF4EF46110B1985EEE549CB322EA729E01C792

Uniqueness

Uniqueness Score: -1.00%

Function 08723443, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3061c4a6eb71a42bd53ea51186841046d5301166235d30ae40b77f0cd3561c8b
Instruction ID: 3c5024a6c6903aeada450adc6e2c90ccdcea7bfb9cbf976ba571fc38c9116c59
Opcode Fuzzy Hash: 3061c4a6eb71a42bd53ea51186841046d5301166235d30ae40b77f0cd3561c8b
Instruction Fuzzy Hash: DFF062749192A19FC7065B34D519510FF62BF8A61231C9BCDD1D80F67BC22598C0CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 08AA2622, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500246740.0000000008AA0000.00000040.00000001.sdmp, Offset: 08AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50de67f892aaf728219b291505644ec41230532a5677a64cff4106909609cbfc
Instruction ID: 49d5922e69d3eff8bc91e2ad45f95b3a795f9c73226c19bb0a5fd0f20445274b
Opcode Fuzzy Hash: 50de67f892aaf728219b291505644ec41230532a5677a64cff4106909609cbfc
Instruction Fuzzy Hash: 1E01FB75900568CFEB20DB54CD847EAB7B1EB48312F0050A9D54DA7B95CB785E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08AA00D9, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500246740.0000000008AA0000.00000040.00000001.sdmp, Offset: 08AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642d74ffc37ae6e305854b5390b8c3c10ed1c5383d46700dde3be7657e8425f0
Instruction ID: 1ad0ec786e7be4679defb58b32044c8319af520a8b5923f80f33b8a4c02d8823
Opcode Fuzzy Hash: 642d74ffc37ae6e305854b5390b8c3c10ed1c5383d46700dde3be7657e8425f0
Instruction Fuzzy Hash: 28F0223AA04104CFEB20CB55D8423DDBB31EB48726F25116AD91AA3B82C7784D82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0872347F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e35fd72cd58ebb290a43386a1d7b0270252ff9c523d4176694e8c12bbc58234
Instruction ID: e20db3645e0e0a0e605cb5babd8d8990fb763005027768a81ff03a8789500ba1
Opcode Fuzzy Hash: 5e35fd72cd58ebb290a43386a1d7b0270252ff9c523d4176694e8c12bbc58234
Instruction Fuzzy Hash: 4CF0A0A24592D0CFC7268FB0AA55AA07FB0AE1261630A45DFD8488F273D72CD8058321

Uniqueness

Uniqueness Score: -1.00%

Function 08723E41, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57ff166c5898e57f94daae1d8c759494665116edaf4e1417a3f3aa49f16bf2a
Instruction ID: cb3cf34b1c9467acc36fe5bad43d6132bfca2740d76f94abf69e3fbeff2b3ac6
Opcode Fuzzy Hash: d57ff166c5898e57f94daae1d8c759494665116edaf4e1417a3f3aa49f16bf2a
Instruction Fuzzy Hash: BFE086711042D46FC305CF99C911DA5BFBC9F4A120709808FF958CF292C579DE02D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 08722848, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0525615dc2eb1238a7b69abde4264721ff3c0b9bc327d4fb4bbb02a8371c549
Instruction ID: 4dbbc9c7583f863ca022dc06ac6364eba3fc9724c8ff287f2b540325841073e4
Opcode Fuzzy Hash: a0525615dc2eb1238a7b69abde4264721ff3c0b9bc327d4fb4bbb02a8371c549
Instruction Fuzzy Hash: FCE0C23160A3850FC316CA98C892961BFA8CF87215724C4AED449CB673C936E802C751

Uniqueness

Uniqueness Score: -1.00%

Function 08723E50, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cb6eb0c2bb6e897218618b6b5390077a8f722db0d7936c049c9ac793e91f32
Instruction ID: bb559cd9e63285f842ffa59cec69cfb130f4eb354ed15726ef19bdad66fad4c8
Opcode Fuzzy Hash: 61cb6eb0c2bb6e897218618b6b5390077a8f722db0d7936c049c9ac793e91f32
Instruction Fuzzy Hash: 63D05E322041686F8300CA89C810CB6BBEC9A8D120708C05BB958C7241C976ED0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 087258B0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a76e1893f8e7a02320e2737137b0747f7a7fc1b9a17fad849f99c52d66805ef
Instruction ID: c19d1b7a27503c602fa86c3b25197916fd42bf2fb7dfdadb9a6cd9ab2b2a9199
Opcode Fuzzy Hash: 2a76e1893f8e7a02320e2737137b0747f7a7fc1b9a17fad849f99c52d66805ef
Instruction Fuzzy Hash: 73D05E3340A2899ECB0397A0DA0108C7FB49E0210570801DBD11CDBA22D632896897D2

Uniqueness

Uniqueness Score: -1.00%

Function 08724F52, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a12445d7e679b1ba86650806a1eaea5d22920989fd81a1b7cf04abeab5cb662
Instruction ID: 456d2119291c834214e7048b60f2ef6486e7d0f08fa07b896a7329420d9bcfc5
Opcode Fuzzy Hash: 9a12445d7e679b1ba86650806a1eaea5d22920989fd81a1b7cf04abeab5cb662
Instruction Fuzzy Hash: E7D05E3420E2C01FC306C768D951815BFB09F96154728C5AED88DCB363DA729C02C792

Uniqueness

Uniqueness Score: -1.00%

Function 08AAED30, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500246740.0000000008AA0000.00000040.00000001.sdmp, Offset: 08AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3036f782cc94228579621552cb9f109df0dd564a182211a4e020d7edc5b76c
Instruction ID: 320669d842f425cc90448d3adc238b5017a36cf1dbab54e4f16fb09746e07bb5
Opcode Fuzzy Hash: 0f3036f782cc94228579621552cb9f109df0dd564a182211a4e020d7edc5b76c
Instruction Fuzzy Hash: 41D0C77691520CEB8B00EFF4C55045E77F9DF01515B5045A59905DB210ED319F1057D2

Uniqueness

Uniqueness Score: -1.00%

Function 08AAE870, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500246740.0000000008AA0000.00000040.00000001.sdmp, Offset: 08AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4748340a595da9213dd5c294046bcd1806bf8147cfedf040f5e41d9cc37f753
Instruction ID: 06958d952658e88d72cab9aeb3d26a6660f76995eeefa1d3671966608d339562
Opcode Fuzzy Hash: e4748340a595da9213dd5c294046bcd1806bf8147cfedf040f5e41d9cc37f753
Instruction Fuzzy Hash: ACD0C77590510CEB8B00EFF5C55045F77F9DF01515B1045A59905DB210ED319F1057D2

Uniqueness

Uniqueness Score: -1.00%

Function 08AAEB50, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500246740.0000000008AA0000.00000040.00000001.sdmp, Offset: 08AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d48ca5f13039e7d9abd033cba7c9a90857d81e7ad97d74c5fb60bedee6a98d
Instruction ID: c1bf0c6a67fe0f8514956237f97976f1849090dcd41d1b3af7b2d923490bf035
Opcode Fuzzy Hash: f8d48ca5f13039e7d9abd033cba7c9a90857d81e7ad97d74c5fb60bedee6a98d
Instruction Fuzzy Hash: 71D0C976D0520CEF8B00EFF9C91049EB7F9EF41615B1145E6A909DB210EE369F109BD2

Uniqueness

Uniqueness Score: -1.00%

Function 08725912, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc91ef507e513ad3b00f60575a9bbd7a8d72c3ea2ed440023584920e408b731
Instruction ID: 9b910eeac6f29c2b96769d2334099438bd3a79bfd8ac6a6accdee9aae0a1ca95
Opcode Fuzzy Hash: 6fc91ef507e513ad3b00f60575a9bbd7a8d72c3ea2ed440023584920e408b731
Instruction Fuzzy Hash: DCD0C93414E2D05FC757876CE591448BFA19D9322472885EED4C9CF623C963991B8752

Uniqueness

Uniqueness Score: -1.00%

Function 0872354A, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf0481806a2a90347bc362a8f1852ce5db46dc6aaf54a21ccd6790984cfa44e
Instruction ID: 083df31a2c8bd873ca3fcaae2635d87c7425e3ce61676348585a38955b2621b2
Opcode Fuzzy Hash: 4cf0481806a2a90347bc362a8f1852ce5db46dc6aaf54a21ccd6790984cfa44e
Instruction Fuzzy Hash: A9D0923628A380AFE7128B64DE56F413F70AF06601F1A40C6F658EE9B3D275E854C795

Uniqueness

Uniqueness Score: -1.00%

Function 08722EFD, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d54d8354cad3a3f514b1c1ef9e62d930f25a5edd44d33b04129a1679ad81167
Instruction ID: 27256bf464a8ee889844c7d71c3d8e86a1eba100dfcc52d3618625a679be7b80
Opcode Fuzzy Hash: 9d54d8354cad3a3f514b1c1ef9e62d930f25a5edd44d33b04129a1679ad81167
Instruction Fuzzy Hash: 6CD09278604200CFDB44EB78C568A6E77E6EF482427140968E107EB7A4DE31AD00DB20

Uniqueness

Uniqueness Score: -1.00%

Function 08721CE0, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff19cac91fad29d7bc1d5ed900f3af632d50ae387277be3c01a767f32890d68c
Instruction ID: 39bbda11ae68e31ae95688bd8ad6c108567908db9d38b15b6c8307b5f3bd34e6
Opcode Fuzzy Hash: ff19cac91fad29d7bc1d5ed900f3af632d50ae387277be3c01a767f32890d68c
Instruction Fuzzy Hash: F7D05275A0E2C40EC743C37898908087F605B83128B0A80EEC0D8DF263CA22880ACB11

Uniqueness

Uniqueness Score: -1.00%

Function 08722858, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694

Uniqueness

Uniqueness Score: -1.00%

Function 08AAEB90, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500246740.0000000008AA0000.00000040.00000001.sdmp, Offset: 08AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Uniqueness

Uniqueness Score: -1.00%

Function 08AAF050, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500246740.0000000008AA0000.00000040.00000001.sdmp, Offset: 08AA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Uniqueness

Uniqueness Score: -1.00%

Function 08724F60, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Uniqueness

Uniqueness Score: -1.00%

Function 08723558, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98

Uniqueness

Uniqueness Score: -1.00%

Function 08722CB9, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f708399d3d9a6a42dc246854588be1f825879035ad949442e9ac258963729303
Instruction ID: 780cf59a725e9be4b69414d69da760b587dc39d841e693ed3901ce49cefbaa33
Opcode Fuzzy Hash: f708399d3d9a6a42dc246854588be1f825879035ad949442e9ac258963729303
Instruction Fuzzy Hash: 7CD0C934C15228CBDB10CBC0D848BACFBB2BB08302F14416AE806B7398C7349C40DE20

Uniqueness

Uniqueness Score: -1.00%

Function 08723498, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a6ab957ce08d52385e7afc24244fb9966b7f3d8c9628188d801a8f3da674fa
Instruction ID: 7ae5e81374000b9cd5253f179a0e38ffcddd4aff7415d77c798094d22579e9b6
Opcode Fuzzy Hash: 62a6ab957ce08d52385e7afc24244fb9966b7f3d8c9628188d801a8f3da674fa
Instruction Fuzzy Hash: FEC09B352802049FD3009755DD45F0177A8DB05B14F114090F20C4F2B1C652F8004644

Uniqueness

Uniqueness Score: -1.00%

Function 08720FF3, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e1e40b5ee2634bd95f4c32bc49b0579c8cea3156efa8dbad0691877c76b503
Instruction ID: 7eecba37bd4fa8824c7c38c988fbcbcd49942ed9768fda7016c154391bd3e17e
Opcode Fuzzy Hash: 63e1e40b5ee2634bd95f4c32bc49b0579c8cea3156efa8dbad0691877c76b503
Instruction Fuzzy Hash: 55C01234A10565CFD300EF54D44026F3772EF44311F11006895256B38ACA754D018FA1

Uniqueness

Uniqueness Score: -1.00%

Function 08721CF0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Uniqueness

Uniqueness Score: -1.00%

Function 08725B6A, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f674b7bca5608b94f4103b0282fd8c257dbc3fe7253ae2a5261bbc7526fd21
Instruction ID: b730f80e4e58f790a4bd0b9695c6f45f179e07e6c61d31783308f67bb5f741fd
Opcode Fuzzy Hash: 51f674b7bca5608b94f4103b0282fd8c257dbc3fe7253ae2a5261bbc7526fd21
Instruction Fuzzy Hash: 34B0127F08574088C7120774B68308037208D0A02E32904DBC09C1CE70817FC0DC8132

Uniqueness

Uniqueness Score: -1.00%

Function 08725920, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Uniqueness

Uniqueness Score: -1.00%

Function 08725B70, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5244a3f563fe09c313a6bbc6185b33763c653fa12b7607cb8f0b647f2693eb0a
Instruction ID: 958d93914cadf1918629922e4eda8e7b48748dcfb4e0a30538dcc5de58b4497e
Opcode Fuzzy Hash: 5244a3f563fe09c313a6bbc6185b33763c653fa12b7607cb8f0b647f2693eb0a
Instruction Fuzzy Hash: BDA02230002F0C8282002BB8280002033AC0A0000C38008BA830C08F302AB3E0A080A8

Uniqueness

Uniqueness Score: -1.00%

Function 087258C0, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.500159213.0000000008720000.00000040.00000001.sdmp, Offset: 08720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe76618ac7f2cfb3950f30560cf47bcf2df05dda96deb618887909f987be3f9
Instruction ID: fae7eab6656af983bd7ce219ce9131d2c9cb781b8648fad09ad9e1e6bb8d201c
Opcode Fuzzy Hash: 3fe76618ac7f2cfb3950f30560cf47bcf2df05dda96deb618887909f987be3f9
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01094291, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e93283140b084be72e6c31bc2d62d0f625c3c595c9b040b84cd9bf30f72998
Instruction ID: 38b81df9e3ab31fd9cda7d9994fee49158c277afca1ae927cf1377f5b8a0ef71
Opcode Fuzzy Hash: 13e93283140b084be72e6c31bc2d62d0f625c3c595c9b040b84cd9bf30f72998
Instruction Fuzzy Hash: F011C630E08245DFCB45EBA8E81278E7FF1AF46208F108999D0419F7A5DB3D6A05DF91

Uniqueness

Uniqueness Score: -1.00%

Function 01094508, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.475259301.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fe12c877a2338e6fc27f2f29a40e1ae5eec11887073fc8dbbf4fd2ee076e68
Instruction ID: 61c23249aa5ff56dade0309d7e5d48521d91b1a84919ef9572a2f647692eda7d
Opcode Fuzzy Hash: d3fe12c877a2338e6fc27f2f29a40e1ae5eec11887073fc8dbbf4fd2ee076e68
Instruction Fuzzy Hash: A1018130D49248EFCB41EFA9E81168D7FF1EF8A204F1044A9C4489B665EB745A19CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: EnhancementRadio.exe PID: 4308 Parent PID: 3388 EnhancementRadio.exeCOMMON

Executed Functions

Function 02876E51, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02876EC0
GetCurrentThread.KERNEL32 ref: 02876EFD
GetCurrentProcess.KERNEL32 ref: 02876F3A
GetCurrentThreadId.KERNEL32 ref: 02876F93

Memory Dump Source

Source File: 0000001A.00000002.476416006.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cb466a71ee568f26b0db7ca47593ad2477efe7a180a65a57e6d308b220302113
Instruction ID: b97a7962dfb0eda3675ec2880b0429a7b92b351c5eb0100984c821c38cd6896c
Opcode Fuzzy Hash: cb466a71ee568f26b0db7ca47593ad2477efe7a180a65a57e6d308b220302113
Instruction Fuzzy Hash: AA5179B8E046458FDB14CFA9D648BDEBBF1AF48318F24849AE008E7750D7749849CF66

Uniqueness

Uniqueness Score: -1.00%

Function 02876E60, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02876EC0
GetCurrentThread.KERNEL32 ref: 02876EFD
GetCurrentProcess.KERNEL32 ref: 02876F3A
GetCurrentThreadId.KERNEL32 ref: 02876F93

Memory Dump Source

Source File: 0000001A.00000002.476416006.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 34c709492488a26f611961c6fb999e3ab66c4353fcdfb40d86454e9ebe1760fb
Instruction ID: e2a3304ef07677b6eea10e871988db3ab1ddace93beff78505d551841c788097
Opcode Fuzzy Hash: 34c709492488a26f611961c6fb999e3ab66c4353fcdfb40d86454e9ebe1760fb
Instruction Fuzzy Hash: 6F5186B8E006498FDB14CFAAC648BDEBBF4AF48318F208459E008A7750D7749849CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0287A2E8, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0287A52E

Memory Dump Source

Source File: 0000001A.00000002.476416006.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a28f5728b4ae5149b833dc6cd67aa7d8138b022ecc58c82f2c74f36260d83064
Instruction ID: f6201924c36c784bbdce660cef8a62235d6286624b2a2c64efa9c2818c51a9e0
Opcode Fuzzy Hash: a28f5728b4ae5149b833dc6cd67aa7d8138b022ecc58c82f2c74f36260d83064
Instruction Fuzzy Hash: 16712478A00B058FDB28DF6AD54479AB7F5FF88304F048A2DE54ADBA40D735E8458F91

Uniqueness

Uniqueness Score: -1.00%

Function 028753DC, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02875499

Memory Dump Source

Source File: 0000001A.00000002.476416006.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 64f228e54588ad05cc0856ec4171e99d5448e22f14c0454152d06c5671085593
Instruction ID: 3217881a61612231f3c6b305906aa77f3ee8e8808431b29599cb6e457f9acd2c
Opcode Fuzzy Hash: 64f228e54588ad05cc0856ec4171e99d5448e22f14c0454152d06c5671085593
Instruction Fuzzy Hash: 0D4104B5D0461DCFDB24CFA9C884BCEBBB5BF48308F20816AD519AB250D779594ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 02873EDC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02875499

Memory Dump Source

Source File: 0000001A.00000002.476416006.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 52aec1ee6644adfc6bfb879e939855ca949f84f777162e9bbfd4c91e71532fab
Instruction ID: 594673470c05bfb8c82143143bf03b854a88c90362c8ebf61c6e3c4ce5acfdab
Opcode Fuzzy Hash: 52aec1ee6644adfc6bfb879e939855ca949f84f777162e9bbfd4c91e71532fab
Instruction Fuzzy Hash: DF4105B4C0471CCBDB24DFA9C8847CEBBB5BF48308F608069D509AB250D7B55949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0287748A, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02877517

Memory Dump Source

Source File: 0000001A.00000002.476416006.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3325b9d7f8b50dec0bfe696a0c7b0cd1850c12eefa5056afc9223a1ecf1be3a3
Instruction ID: 138e15a70f06325acb8dd72beb9a5a08eb38ec73cdf9c891811efa42b1623931
Opcode Fuzzy Hash: 3325b9d7f8b50dec0bfe696a0c7b0cd1850c12eefa5056afc9223a1ecf1be3a3
Instruction Fuzzy Hash: E021F2B5D002499FDB10CFA9D484AEEFBF4EB58324F14841AE914A7310D374A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02877490, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02877517

Memory Dump Source

Source File: 0000001A.00000002.476416006.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 98d6c87053fc7ef8b539bd20aa37a9d89eeb579f198e2eeb6d0753e8068b1978
Instruction ID: f579cdf6bb2d2a659c156c38224d4a82a0678e064a66bbaac17a3adf8405d905
Opcode Fuzzy Hash: 98d6c87053fc7ef8b539bd20aa37a9d89eeb579f198e2eeb6d0753e8068b1978
Instruction Fuzzy Hash: EA21C2B5D00249DFDB10CFAAD984ADEFBF8EB48324F14841AE914A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 087A7CA8, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 087A7D1C

Memory Dump Source

Source File: 0000001A.00000002.497950545.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ef7d265d4819a9e3b900af9a52065b80d2d2f1906a6cf08f56ea626f24d9e44f
Instruction ID: 740921f712ba4dea53bd4c0689899aeade356b8e802f00d81dd6c742538e0799
Opcode Fuzzy Hash: ef7d265d4819a9e3b900af9a52065b80d2d2f1906a6cf08f56ea626f24d9e44f
Instruction Fuzzy Hash: 95113871D002498FCB10CFAAC8847EFFBF4AF48314F14882AD419A7200CB749944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0287A749, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0287A5A9,00000800,00000000,00000000), ref: 0287A7BA

Memory Dump Source

Source File: 0000001A.00000002.476416006.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8ba6973e916ce50cff4c8ea7b948f5b8972d63d8c027f83bcc785f6e6fdc9718
Instruction ID: 3cbe2b59569e2c57f1742bd23f9c7863767514d91e1b06a9af54ade04f8ca59f
Opcode Fuzzy Hash: 8ba6973e916ce50cff4c8ea7b948f5b8972d63d8c027f83bcc785f6e6fdc9718
Instruction Fuzzy Hash: 5F2117B6D00209CFDB14CF9AC484ADEFBF8EB49354F14842AD455A7600C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02879638, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0287A5A9,00000800,00000000,00000000), ref: 0287A7BA

Memory Dump Source

Source File: 0000001A.00000002.476416006.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 10a8670d7862ae01871bc31a72cfd22326ed83265c5a3de826e3535ae781813a
Instruction ID: 2a2d320294c39a315d9f8fde4edddd1ed2006f164ad1a683b96a6f0692aa3072
Opcode Fuzzy Hash: 10a8670d7862ae01871bc31a72cfd22326ed83265c5a3de826e3535ae781813a
Instruction Fuzzy Hash: 6A1103BA9002498FCB14CF9AC484ADEFBF4AB48364F04842AE559B7600C7B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 087A7E78, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 087A7EDA

Memory Dump Source

Source File: 0000001A.00000002.497950545.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a0cfb650a3c5eb2a24224471a3daea3643f0684c0789fe09c2e72a3ac79976a0
Instruction ID: fbac4c76cf3dae1fbe3e157f0e3f20b325c346e38bb1ee73d7e9da81a8c88533
Opcode Fuzzy Hash: a0cfb650a3c5eb2a24224471a3daea3643f0684c0789fe09c2e72a3ac79976a0
Instruction Fuzzy Hash: 90116671D003498FCB10CFAAC8447EFFBF9AF88224F14882AC419A7640CB74A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0287A4C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0287A52E

Memory Dump Source

Source File: 0000001A.00000002.476416006.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a174667bac7c695a716ee2ea1d95adca9777ca3d9dabac7a1ba5ba5ae1593f02
Instruction ID: 4649a867036a0ec629085821f2058771c826a3d157d3cdacc9ba25c2ef5bd328
Opcode Fuzzy Hash: a174667bac7c695a716ee2ea1d95adca9777ca3d9dabac7a1ba5ba5ae1593f02
Instruction Fuzzy Hash: 8411E0BAD007498FDB14CF9AD444BDEFBF4AF88224F14842AD419A7600D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08ADFC20, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.498012033.0000000008AD0000.00000040.00000001.sdmp, Offset: 08AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045bcfcc5d6be89c207f941e799d0be82e340264cdcfcac7e157bec3bd01362b
Instruction ID: 0dc2cd396ab5030af568f321fbff835b99043bd25cf87605b072e37edd3f30b8
Opcode Fuzzy Hash: 045bcfcc5d6be89c207f941e799d0be82e340264cdcfcac7e157bec3bd01362b
Instruction Fuzzy Hash: 7631E03AB043648FCB286724985077F73A6DBC4656B19456ECE0BCBB80DE209C5383C2

Uniqueness

Uniqueness Score: -1.00%

Function 00DED01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.475709971.0000000000DED000.00000040.00000001.sdmp, Offset: 00DED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e196fc005a1e2a1a0bd68d3cdd672e40e838c6bc26d569b39667a33601390d6
Instruction ID: 6d3af6bdde48872c51ad3b9230cacd67de3ab6597a996a5fbe613f1f9fc85183
Opcode Fuzzy Hash: 4e196fc005a1e2a1a0bd68d3cdd672e40e838c6bc26d569b39667a33601390d6
Instruction Fuzzy Hash: 0421F275504280DFDB15EF14D8C4B16BB66FB88324F28C969E8494B346CB3AD847CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00DED1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.475709971.0000000000DED000.00000040.00000001.sdmp, Offset: 00DED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6003809c9b35c3067a0258e478e008fa5b53a868aa3e310bb51234cae8f9f6d0
Instruction ID: b5ca526472056a5fbd3289969ac82511de4d762900f21d7465d292a7b72efffa
Opcode Fuzzy Hash: 6003809c9b35c3067a0258e478e008fa5b53a868aa3e310bb51234cae8f9f6d0
Instruction Fuzzy Hash: 9B212575904280EFDB01EF15D5C0B1ABB66FB84314F24C969D9494B341CB36D846DA71

Uniqueness

Uniqueness Score: -1.00%

Function 00DED005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.475709971.0000000000DED000.00000040.00000001.sdmp, Offset: 00DED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35de1c319cb83c73fa66f670bb03d62ba50fef65c89efdb60b71884336ce1d64
Instruction ID: 1fa3fbf0ee6dadbdb5b20a999b86e87920b914f516e2c35c652d603e88149bf7
Opcode Fuzzy Hash: 35de1c319cb83c73fa66f670bb03d62ba50fef65c89efdb60b71884336ce1d64
Instruction Fuzzy Hash: B4217F755093C08FCB02CF24D994715BF72AB46214F28C5EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DED1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.475709971.0000000000DED000.00000040.00000001.sdmp, Offset: 00DED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction ID: 2705fb330a8fbfdc77e23afec449871ecea20d06a3c825d83083b258f39f3810
Opcode Fuzzy Hash: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction Fuzzy Hash: D611BB75904680DFCB02DF10C5C4B15BBA2FB84324F28C6AED9494B696C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 08AD2622, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.498012033.0000000008AD0000.00000040.00000001.sdmp, Offset: 08AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d59a3bfd36cbec0bc9ae90e7e0ab9f8b9bac0bbc398c3063c26fcfeb418f7d
Instruction ID: e85732c0c95d0e3ce3b10fc342606780022dea03f637c99f46b54ea2695043f1
Opcode Fuzzy Hash: b8d59a3bfd36cbec0bc9ae90e7e0ab9f8b9bac0bbc398c3063c26fcfeb418f7d
Instruction Fuzzy Hash: 8C011D79A00258CFEB24DB54CA80BEAB7B1EB48312F1081A9D54ED7754CB785EC2CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08ADFD88, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.498012033.0000000008AD0000.00000040.00000001.sdmp, Offset: 08AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1826ff9948f05773d370f1d5bf2d2fe90bb16c58f4ac58b950c2ceb5415af66e
Instruction ID: 0754405a3fea97f8a91393ee932c89a048263d3cb306115e7fcb334c19569119
Opcode Fuzzy Hash: 1826ff9948f05773d370f1d5bf2d2fe90bb16c58f4ac58b950c2ceb5415af66e
Instruction Fuzzy Hash: E6D092B690520CEB8B00EBE4895449EBBE9DA81505B104AA6AA099B214EA365F1057A1

Uniqueness

Uniqueness Score: -1.00%

Function 08ADED30, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.498012033.0000000008AD0000.00000040.00000001.sdmp, Offset: 08AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce57547f4b37667a5133d5453b14ce5c818a7fd913ba8bb0b1054c8a7bc3c7ed
Instruction ID: 6ebef2a0c6f829d9386c77f2f33443dcb696c0dfbe99b1a5761948e3852fb95c
Opcode Fuzzy Hash: ce57547f4b37667a5133d5453b14ce5c818a7fd913ba8bb0b1054c8a7bc3c7ed
Instruction Fuzzy Hash: 33D0A9B690020CEB8B00EFF0C88049FB7F8DB40100F200AA6A908DB210EE326F0057E1

Uniqueness

Uniqueness Score: -1.00%

Function 08ADEB50, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.498012033.0000000008AD0000.00000040.00000001.sdmp, Offset: 08AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4211fcc1398e50e54027c7908beb932a33680f50fc35e99a0c75befff60057df
Instruction ID: 5efaf7ff156d8b234439c77d3ec01f9376379105a23078ca46367981d995c5fb
Opcode Fuzzy Hash: 4211fcc1398e50e54027c7908beb932a33680f50fc35e99a0c75befff60057df
Instruction Fuzzy Hash: 9FD0A972D0020CEF8B00EFF4C80048FB7E8DB80101F000AE6A908AB214EE3A4F0067E1

Uniqueness

Uniqueness Score: -1.00%

Function 08ADEB90, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.498012033.0000000008AD0000.00000040.00000001.sdmp, Offset: 08AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Uniqueness

Uniqueness Score: -1.00%

Function 08ADE820, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.498012033.0000000008AD0000.00000040.00000001.sdmp, Offset: 08AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Uniqueness

Uniqueness Score: -1.00%

Function 08ADF050, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.498012033.0000000008AD0000.00000040.00000001.sdmp, Offset: 08AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Uniqueness

Uniqueness Score: -1.00%

Function 08ADE8B0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.498012033.0000000008AD0000.00000040.00000001.sdmp, Offset: 08AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: ORDER#142155312938 KALISKAYA WODKA CON1GQDP- URGENT-New.exe PID: 5748 Parent PID: 5644