Play interactive tour

Edit tour

Windows Analysis Report kutipan langsung.14.10.2021.xlxs.exe

Overview

General Information

Sample Name:	kutipan langsung.14.10.2021.xlxs.exe
Analysis ID:	502603
MD5:	9e25ab014c4a3fd9fd4b6de6b3411b20
SHA1:	225d761ce2e79874c8bd83b27991d828ccdb3ca9
SHA256:	9751c9b85d1fa0d9663c4d7e2e00ce838251ef166901495787724878958bdcc1
Tags:	agentteslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Defender Exclusion

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains functionality to read the clipboard data

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Contains capabilities to detect virtual machines

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

kutipan langsung.14.10.2021.xlxs.exe (PID: 7132 cmdline: 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe' MD5: 9E25AB014C4A3FD9FD4B6DE6B3411B20)

powershell.exe (PID: 5612 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5516 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ryan.sowders52@yandex.com", "Password": "mosqueboy100", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.550651698.0000000003546000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.297433456.00000000028D1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.297783646.00000000038D9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.297783646.00000000038D9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000A.00000002.547694976.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.547694976.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.298063204.0000000003A61000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.298063204.0000000003A61000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: kutipan langsung.14.10.2021.xlxs.exe PID: 7132	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kutipan langsung.14.10.2021.xlxs.exe PID: 7132	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.kutipan langsung.14.10.2021.xlxs.exe.3b7e830.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.kutipan langsung.14.10.2021.xlxs.exe.3b7e830.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.kutipan langsung.14.10.2021.xlxs.exe.3b7e830.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.kutipan langsung.14.10.2021.xlxs.exe.3b7e830.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.kutipan langsung.14.10.2021.xlxs.exe.28f2864.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.kutipan langsung.14.10.2021.xlxs.exe.3a85b80.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.kutipan langsung.14.10.2021.xlxs.exe.3a85b80.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 4 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe' , ParentImage: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe, ParentProcessId: 7132, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5516

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe' , ParentImage: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe, ParentProcessId: 7132, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe', ProcessId: 5612

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe' , ParentImage: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe, ParentProcessId: 7132, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5516

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe' , ParentImage: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe, ParentProcessId: 7132, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe', ProcessId: 5612

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132786901999049530.5612.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.kutipan langsung.14.10.2021.xlxs.exe.3b7e830.2.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ryan.sowders52@yandex.com", "Password": "mosqueboy100", "Host": "smtp.yandex.com"}

Source: 10.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: kutipan langsung.14.10.2021.xlxs.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: kutipan langsung.14.10.2021.xlxs.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Joe Sandbox View

IP Address: 77.88.21.158 77.88.21.158

Source: global traffic

TCP traffic: 192.168.2.3:49833 -> 77.88.21.158:587

Source: global traffic

TCP traffic: 192.168.2.3:49833 -> 77.88.21.158:587

Source: RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: RegSvcs.exe, 0000000A.00000002.551701280.00000000065E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 0000000A.00000002.550651698.0000000003546000.00000004.00000001.sdmp	String found in binary or memory: http://moSPFvuwBgAd6WjJujA.org
Source: RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: http://pOhrmw.com
Source: RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: RegSvcs.exe, 0000000A.00000002.551701280.00000000065E0000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ycasha2.cer0
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.yandex.com
Source: RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com0.
Source: RegSvcs.exe, 0000000A.00000002.551701280.00000000065E0000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RegSvcs.exe, 0000000A.00000002.551701280.00000000065E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297433456.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
Source: RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.ocsp-responder.com03
Source: RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297783646.00000000038D9000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.547694976.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: smtp.yandex.com

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 10_2_01949F90 GetClipboardData,

10_2_01949F90

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 10.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB3D167C2u002d7A91u002d4370u002d8A12u002dC9F68649641Au007d/u0032196FF49u002dFDADu002d4855u002d9C69u002dA609E806EC4F.cs

Large array initialization: .cctor: array initializer size 11958

Source: kutipan langsung.14.10.2021.xlxs.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Code function: 0_2_04EA7628	0_2_04EA7628
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Code function: 0_2_04EA7618	0_2_04EA7618
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Code function: 0_2_04EA3D41	0_2_04EA3D41
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Code function: 0_2_04EA3D50	0_2_04EA3D50
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Code function: 0_2_04EADFD0	0_2_04EADFD0
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Code function: 0_2_04EA982A	0_2_04EA982A
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Code function: 0_2_07FF0958	0_2_07FF0958
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Code function: 0_2_004349CC	0_2_004349CC
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Code function: 0_2_00434993	0_2_00434993
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01944800	10_2_01944800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019454D0	10_2_019454D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01943D2C	10_2_01943D2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01944790	10_2_01944790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01944730	10_2_01944730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01944770	10_2_01944770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019454F0	10_2_019454F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0194D640	10_2_0194D640

Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000000.278952511.0000000000492000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTypeKi.exe8 vs kutipan langsung.14.10.2021.xlxs.exe
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePoYGKxKqXloHAxjkQkqXqZuINcWFzuVlFh.exe4 vs kutipan langsung.14.10.2021.xlxs.exe
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297433456.00000000028D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs kutipan langsung.14.10.2021.xlxs.exe
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.300206154.00000000070F0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs kutipan langsung.14.10.2021.xlxs.exe
Source: kutipan langsung.14.10.2021.xlxs.exe	Binary or memory string: OriginalFilenameTypeKi.exe8 vs kutipan langsung.14.10.2021.xlxs.exe

Source: kutipan langsung.14.10.2021.xlxs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: kutipan langsung.14.10.2021.xlxs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe'
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kutipan langsung.14.10.2021.xlxs.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eiyx4ugi.v2i.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/5@2/1

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Mutant created: \Sessions\1\BaseNamedObjects\DCIvIfRYdRuDYjG
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1580:120:WilError_01

Source: 10.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: kutipan langsung.14.10.2021.xlxs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: kutipan langsung.14.10.2021.xlxs.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: kutipan langsung.14.10.2021.xlxs.exe, WinUsbInitForm.cs

.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

Code function: 0_2_07FF3955 push FFFFFF8Bh; iretd

0_2_07FF3957

Source: initial sample

Static PE information: section name: .text entropy: 7.95187081009

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.kutipan langsung.14.10.2021.xlxs.exe.28f2864.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297433456.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kutipan langsung.14.10.2021.xlxs.exe PID: 7132, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe TID: 7152	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4560	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4612	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3944	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 630	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9222	Jump to behavior

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297010504.0000000000BD9000.00000004.00000020.sdmp	Binary or memory string: VMware
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297010504.0000000000BD9000.00000004.00000020.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware48MX1UHYWin32_VideoController26WRZFFNVideoController120060621000000.000000-000.5128672display.infMSBDA_8BUDCMHPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsC88EBLPF
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: \m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: \m"SOFTWARE\VMware, Inc.\VMware Tools
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: RegSvcs.exe, 0000000A.00000002.551701280.00000000065E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 115F008	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe'
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe'			Jump to behavior

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe'			Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: RegSvcs.exe, 0000000A.00000002.550242473.0000000001D30000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 0000000A.00000002.550242473.0000000001D30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 0000000A.00000002.550242473.0000000001D30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 0000000A.00000002.550242473.0000000001D30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kutipan langsung.14.10.2021.xlxs.exe.3b7e830.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kutipan langsung.14.10.2021.xlxs.exe.3b7e830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kutipan langsung.14.10.2021.xlxs.exe.3a85b80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.297783646.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547694976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298063204.0000000003A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.550651698.0000000003546000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kutipan langsung.14.10.2021.xlxs.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5516, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5516, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kutipan langsung.14.10.2021.xlxs.exe.3b7e830.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kutipan langsung.14.10.2021.xlxs.exe.3b7e830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kutipan langsung.14.10.2021.xlxs.exe.3a85b80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.297783646.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547694976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298063204.0000000003A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.550651698.0000000003546000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kutipan langsung.14.10.2021.xlxs.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5516, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation311	Path Interception	Process Injection212	Masquerading1	OS Credential Dumping2	Security Software Discovery321	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools11	Credentials in Registry1	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion241	Security Account Manager	Virtualization/Sandbox Evasion241	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Application Window Discovery1	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
10.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://pOhrmw.com	0%	Virustotal		Browse
http://pOhrmw.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://moSPFvuwBgAd6WjJujA.org	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://yandex.ocsp-responder.com03	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.yandex.ru	77.88.21.158	true	false		high
smtp.yandex.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false		high
http://pOhrmw.com	RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false		high
http://yandex.crl.certum.pl/ycasha2.crl0q	RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	false		high
http://www.tiro.com	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.collada.org/2005/11/COLLADASchema9Done	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297433456.00000000028D1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com0.	RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://repository.certum.pl/ca.cer09	RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://moSPFvuwBgAd6WjJujA.org	RegSvcs.exe, 0000000A.00000002.550651698.0000000003546000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	RegSvcs.exe, 0000000A.00000002.551701280.00000000065E0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://www.fonts.com	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%	RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.297783646.00000000038D9000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.547694976.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.certum.pl/CPS0	RegSvcs.exe, 0000000A.00000002.551701280.00000000065E0000.00000004.00000001.sdmp	false		high
http://repository.certum.pl/ycasha2.cer0	RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://repository.certum.pl/ctnca.cer09	RegSvcs.exe, 0000000A.00000002.551701280.00000000065E0000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegSvcs.exe, 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	RegSvcs.exe, 0000000A.00000002.551701280.00000000065E0000.00000004.00000001.sdmp	false		high
https://www.certum.pl/CPS0	RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	false		high
http://smtp.yandex.com	RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://yandex.ocsp-responder.com03	RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false		high
http://crls.yandex.net/certum/ycasha2.crl0-	RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	kutipan langsung.14.10.2021.xlxs.exe, 00000000.00000002.299166489.00000000068E2000.00000004.00000001.sdmp	false		high
http://crl.certum.pl/ca.crl0h	RegSvcs.exe, 0000000A.00000002.550721464.00000000035A7000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.88.21.158	smtp.yandex.ru	Russian Federation		13238	YANDEXRU	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502603
Start date:	14.10.2021
Start time:	06:02:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	kutipan langsung.14.10.2021.xlxs.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/5@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.1%) Quality average: 20.8% Quality standard deviation: 26.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.54.110.249, 40.112.88.60, 2.20.178.56, 2.20.178.10, 20.199.120.182, 93.184.221.240, 2.20.178.24, 2.20.178.33, 20.199.120.151, 20.50.102.62 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:03:19	API Interceptor	1x Sleep call for process: kutipan langsung.14.10.2021.xlxs.exe modified
06:03:22	API Interceptor	34x Sleep call for process: powershell.exe modified
06:03:32	API Interceptor	772x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
77.88.21.158	SecuriteInfo.com.Suspicious.Win32.Save.a.20932.exe	Get hash	malicious	Browse
	Petikan segera.12.10.2021.xlxs.exe	Get hash	malicious	Browse
	Purchase_Order_QBO6814_from_Salvona_Technologies.exe	Get hash	malicious	Browse
	RFQ-117404.doc	Get hash	malicious	Browse
	Petikan segera.08.10.2021.xlxs.exe	Get hash	malicious	Browse
	New Inquiry PR #270473. 05.10.2021.xlxs.exe	Get hash	malicious	Browse
	PO 87678.exe	Get hash	malicious	Browse
	Scan 01-10-2021.exe	Get hash	malicious	Browse
	CDE Awb_1394955262.exe	Get hash	malicious	Browse
	Guloader.exe	Get hash	malicious	Browse
	SPECIFICATIONS.pdg.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	Qhnl6IgOxo.exe	Get hash	malicious	Browse
	mbZIzXy5Q2.exe	Get hash	malicious	Browse
	Quote request.exe	Get hash	malicious	Browse
	RFQ#45875.exe	Get hash	malicious	Browse
	JJD00026901005615676001_PDF.exe	Get hash	malicious	Browse
	qWhlXWs4S6pOhEf.exe	Get hash	malicious	Browse
	Purchase Order.exe	Get hash	malicious	Browse
	INVOICE.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
smtp.yandex.ru	SecuriteInfo.com.Suspicious.Win32.Save.a.20932.exe	Get hash	malicious	Browse	77.88.21.158
	JB030_YT98600223-0032.exe	Get hash	malicious	Browse	77.88.21.158
	Petikan segera.12.10.2021.xlxs.exe	Get hash	malicious	Browse	77.88.21.158
	Purchase_Order_QBO6814_from_Salvona_Technologies.exe	Get hash	malicious	Browse	77.88.21.158
	RFQ-117404.doc	Get hash	malicious	Browse	77.88.21.158
	aQ7G4P3lIS.exe	Get hash	malicious	Browse	77.88.21.158
	Petikan segera.08.10.2021.xlxs.exe	Get hash	malicious	Browse	77.88.21.158
	New Inquiry PR #270473. 05.10.2021.xlxs.exe	Get hash	malicious	Browse	77.88.21.158
	PO 87678.exe	Get hash	malicious	Browse	77.88.21.158
	Scan 01-10-2021.exe	Get hash	malicious	Browse	77.88.21.158
	CDE Awb_1394955262.exe	Get hash	malicious	Browse	77.88.21.158
	Guloader.exe	Get hash	malicious	Browse	77.88.21.158
	SPECIFICATIONS.pdg.exe	Get hash	malicious	Browse	77.88.21.158
	file.exe	Get hash	malicious	Browse	77.88.21.158
	Qhnl6IgOxo.exe	Get hash	malicious	Browse	77.88.21.158
	mbZIzXy5Q2.exe	Get hash	malicious	Browse	77.88.21.158
	Quote request.exe	Get hash	malicious	Browse	77.88.21.158
	RFQ#45875.exe	Get hash	malicious	Browse	77.88.21.158
	JJD00026901005615676001_PDF.exe	Get hash	malicious	Browse	77.88.21.158
	qWhlXWs4S6pOhEf.exe	Get hash	malicious	Browse	77.88.21.158

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
YANDEXRU	SecuriteInfo.com.Suspicious.Win32.Save.a.20932.exe	Get hash	malicious	Browse	77.88.21.158
	sora.x86	Get hash	malicious	Browse	95.108.149.15
	sora.arm	Get hash	malicious	Browse	100.43.91.162
	Petikan segera.12.10.2021.xlxs.exe	Get hash	malicious	Browse	77.88.21.158
	Purchase_Order_QBO6814_from_Salvona_Technologies.exe	Get hash	malicious	Browse	77.88.21.158
	RFQ-117404.doc	Get hash	malicious	Browse	77.88.21.158
	Petikan segera.08.10.2021.xlxs.exe	Get hash	malicious	Browse	77.88.21.158
	t37BGZn2O1.msi	Get hash	malicious	Browse	77.88.21.119
	Elon Musk Site CI6501 .htm	Get hash	malicious	Browse	87.250.251.119
	Elon Musk Invite EZ2375 .htm	Get hash	malicious	Browse	77.88.21.119
	Update-KB250-x86.exe	Get hash	malicious	Browse	77.88.21.249
	Update-KB2984-x86.exe	Get hash	malicious	Browse	77.88.21.249
	New Inquiry PR #270473. 05.10.2021.xlxs.exe	Get hash	malicious	Browse	77.88.21.158
	PO 87678.exe	Get hash	malicious	Browse	77.88.21.158
	28jJSvNzXz.exe	Get hash	malicious	Browse	77.88.21.119
	Scan 01-10-2021.exe	Get hash	malicious	Browse	77.88.21.158
	CDE Awb_1394955262.exe	Get hash	malicious	Browse	77.88.21.158
	doc.msg.exe	Get hash	malicious	Browse	77.88.21.249
	Guloader.exe	Get hash	malicious	Browse	77.88.21.158
	SPECIFICATIONS.pdg.exe	Get hash	malicious	Browse	77.88.21.158

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kutipan langsung.14.10.2021.xlxs.exe.log Download File
Process:	C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20668
Entropy (8bit):	5.301163974384423
Encrypted:	false
SSDEEP:	384:xtADNxdimGhNVO1nagnVnf1JNcDusm7u5ciOhhvmXa5:YifbO1xnZXSysw8cigvH
MD5:	8213801186D62A908D5EA507849816B1
SHA1:	E229B2F9221DB36C89DE1968AF6DB9A1E4AD8829
SHA-256:	797F0D17EC9C6ACC9C94251C7A225C4DA0454F9E57172F830043951F736C3813
SHA-512:	92D41D64BCF111086CEDC4AF11BC753CF8DED6814C14F7BEC0B4F31C6EE472976AC5C1FE7E571E519AC0BE841809CAD099A44C72DDF13CBBD782ED768435FD5F
Malicious:	false
Reputation:	low
Preview:	@...e...................h.h...............I..........@..........D...............fZve...F.....x.)y.......System.Management.AutomationH...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eiyx4ugi.v2i.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rykas0as.rcp.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\Documents\20211014\PowerShell_transcript.436432.Vt8_1xtD.20211014060320.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3652
Entropy (8bit):	5.3177230403172615
Encrypted:	false
SSDEEP:	96:BZShANrtqDo1ZLQZKhANrtqDo1ZHNqUj0cj0cj0dZ5:GffG
MD5:	FF2598151CA643443AE4609FE1840D7F
SHA1:	8CE3A278A1434007AE53937CAF927E9144524F9F
SHA-256:	893268DC634A7A4F21EF63895E8FA033A81CFAEC6EDF6C5281077515CE7A80BC
SHA-512:	B6EF5FB069ADA4610BB0E5F0983FF42CF6DDB01B0B48A2D2A22893503215C47D6408F3420481921807F609989A823355BF01CA0E63164FCDCDEADBEBA01C4318
Malicious:	false
Reputation:	low
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211014060322..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 436432 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe..Process ID: 5612..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211014060322..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe..******************..Command start time: 20211014060604..********************..PS>TerminatingError(Add-MpPreference): "A

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9407876055223285
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	kutipan langsung.14.10.2021.xlxs.exe
File size:	388096
MD5:	9e25ab014c4a3fd9fd4b6de6b3411b20
SHA1:	225d761ce2e79874c8bd83b27991d828ccdb3ca9
SHA256:	9751c9b85d1fa0d9663c4d7e2e00ce838251ef166901495787724878958bdcc1
SHA512:	475e88b02520243e56052020f107eafda6677b315de0cc58f5a8c9bd9a9f4ee0dc31b3f5295343cba40931bfc1dcb85d623e562cede93bbed2edab981c3c0b08
SSDEEP:	6144:h+7SgkjfbIroFnd6DAHP4ho+ohFYLU6bqZGH9OoOdL0sHr9mFvfoplZySqBLvtHq:hfhFndHscTYLhWGH9OoOdxEFYpvypBLM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[.ga..............0.............f.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x460066
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6167885B [Thu Oct 14 01:31:07 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x60014	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x5bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5e06c	0x5e200	False	0.958364458831	data	7.95187081009	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x5bc	0x600	False	0.42578125	data	4.11814862767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x62090	0x32c	data
RT_MANIFEST	0x623cc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015 - 2021
Assembly Version	1.0.0.0
InternalName	TypeKi.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Win UsbInit
ProductVersion	1.0.0.0
FileDescription	Win UsbInit
OriginalFilename	TypeKi.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2021 06:04:58.617813110 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:04:58.681330919 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:04:58.681480885 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:04:59.316066980 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:04:59.316813946 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:04:59.380074024 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:04:59.380106926 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:04:59.380846977 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:04:59.444161892 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:04:59.496284962 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:04:59.544555902 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:04:59.609746933 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:04:59.609797001 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:04:59.609834909 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:04:59.609868050 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:04:59.610131979 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:04:59.693609953 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:04:59.758589983 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:04:59.801829100 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.024593115 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.087990999 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.089920044 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.153243065 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.154685974 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.239348888 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.240891933 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.317074060 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.317969084 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.394125938 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.394783020 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.458132982 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.461564064 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.461926937 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.468959093 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.469326973 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.469583988 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.469800949 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.470010042 CEST	49833	587	192.168.2.3	77.88.21.158
Oct 14, 2021 06:05:00.525500059 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.532526970 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.532778025 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.579900026 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.952370882 CEST	587	49833	77.88.21.158	192.168.2.3
Oct 14, 2021 06:05:00.994762897 CEST	49833	587	192.168.2.3	77.88.21.158

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2021 06:04:58.465135098 CEST	60982	53	192.168.2.3	8.8.8.8
Oct 14, 2021 06:04:58.484019041 CEST	53	60982	8.8.8.8	192.168.2.3
Oct 14, 2021 06:04:58.495214939 CEST	58058	53	192.168.2.3	8.8.8.8
Oct 14, 2021 06:04:58.513581991 CEST	53	58058	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 14, 2021 06:04:58.465135098 CEST	192.168.2.3	8.8.8.8	0x915b	Standard query (0)	smtp.yandex.com	A (IP address)	IN (0x0001)
Oct 14, 2021 06:04:58.495214939 CEST	192.168.2.3	8.8.8.8	0x139e	Standard query (0)	smtp.yandex.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 14, 2021 06:04:58.484019041 CEST	8.8.8.8	192.168.2.3	0x915b	No error (0)	smtp.yandex.com	smtp.yandex.ru		CNAME (Canonical name)	IN (0x0001)
Oct 14, 2021 06:04:58.484019041 CEST	8.8.8.8	192.168.2.3	0x915b	No error (0)	smtp.yandex.ru		77.88.21.158	A (IP address)	IN (0x0001)
Oct 14, 2021 06:04:58.513581991 CEST	8.8.8.8	192.168.2.3	0x139e	No error (0)	smtp.yandex.com	smtp.yandex.ru		CNAME (Canonical name)	IN (0x0001)
Oct 14, 2021 06:04:58.513581991 CEST	8.8.8.8	192.168.2.3	0x139e	No error (0)	smtp.yandex.ru		77.88.21.158	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 14, 2021 06:04:59.316066980 CEST	587	49833	77.88.21.158	192.168.2.3	220 sas2-34ddad429748.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
Oct 14, 2021 06:04:59.316813946 CEST	49833	587	192.168.2.3	77.88.21.158	EHLO 436432
Oct 14, 2021 06:04:59.380106926 CEST	587	49833	77.88.21.158	192.168.2.3	250-sas2-34ddad429748.qloud-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 42991616 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES
Oct 14, 2021 06:04:59.380846977 CEST	49833	587	192.168.2.3	77.88.21.158	STARTTLS
Oct 14, 2021 06:04:59.444161892 CEST	587	49833	77.88.21.158	192.168.2.3	220 Go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: kutipan langsung.14.10.2021.xlxs.exe PID: 7132 Parent PID: 5824

General

Start time:	06:03:12
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe'
Imagebase:	0x430000
File size:	388096 bytes
MD5 hash:	9E25AB014C4A3FD9FD4B6DE6B3411B20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.297514880.000000000293F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.297433456.00000000028D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.297783646.00000000038D9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.297783646.00000000038D9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.298063204.0000000003A61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.298063204.0000000003A61000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 5612 Parent PID: 7132

General

Start time:	06:03:19
Start date:	14/10/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kutipan langsung.14.10.2021.xlxs.exe'
Imagebase:	0xd40000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1580 Parent PID: 5612

General

Start time:	06:03:20
Start date:	14/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5516 Parent PID: 7132

General

Start time:	06:03:20
Start date:	14/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xfc0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.550651698.0000000003546000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.547694976.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.547694976.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.550322700.0000000003241000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: kutipan langsung.14.10.2021.xlxs.exe PID: 7132 Parent PID: 5824 kutipan langsung.14.10.2021.xlxs.exeCOMMON

Executed Functions

Function 04EA7618, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f3e7eed8757effe3e51fe919e5dd2f1f16015d360f153cb80b557c8320977e
Instruction ID: 6653988e1ab081304f25fb250c39c9a2f417061e57008fe0e478b2d20da46d84
Opcode Fuzzy Hash: e5f3e7eed8757effe3e51fe919e5dd2f1f16015d360f153cb80b557c8320977e
Instruction Fuzzy Hash: 64615F70E02208CFDB44EFA9E46069E7BF7EBC4304F04C869E509AB358DB756D459B61

Uniqueness

Uniqueness Score: -1.00%

Function 07FF0958, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.300839449.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124a36782212fcf68ca267bcd4e7ff8b5b236b8d0815fc3ff9c7604d36574225
Instruction ID: d8f9de82e9a2a7cbea1b8c384eb91ece38df3822869d1bddaa2dd0e7fd91d8ad
Opcode Fuzzy Hash: 124a36782212fcf68ca267bcd4e7ff8b5b236b8d0815fc3ff9c7604d36574225
Instruction Fuzzy Hash: 4961F2B1D1062ECBDB64CF66C844BEDB7B1AF89304F1485AAD519A7250EBB05AC58F40

Uniqueness

Uniqueness Score: -1.00%

Function 04EAF305, Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04EAF546

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1e8c821edfee74705d8d6e117d54657c0f40b28273219cf31b446f0f00742a70
Instruction ID: 440a8a6fe0bbf7168c17547c985f22a14dac78784d17d4944edad030bbf96f5a
Opcode Fuzzy Hash: 1e8c821edfee74705d8d6e117d54657c0f40b28273219cf31b446f0f00742a70
Instruction Fuzzy Hash: 4EA16F71D00219DFEF14CFA8C8817EDBBB2BF48318F1485A9D819A7240DB74A995CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04EAF310, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04EAF546

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1ae400fa38c452c56012045618697a8afed820e35e8e610038683dd987ed107f
Instruction ID: 50922596c14dbaade5fa103d51c329e073f3a0395dde960b4f954b9f0e2cead1
Opcode Fuzzy Hash: 1ae400fa38c452c56012045618697a8afed820e35e8e610038683dd987ed107f
Instruction Fuzzy Hash: 2B916E71D00219DFEF14CFA8C881BEEBBB2BF48318F148569D819A7250DB74A995CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07FF028C, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?), ref: 07FF036F

Memory Dump Source

Source File: 00000000.00000002.300839449.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 14010a9e81822466f600e0fb9f3a3935ac5d9fe9aed94b61e2720ab476531cf0
Instruction ID: 3e6ce27f0c4bc06aff8261c8aa98b65517eb7fbc6dbc8624f739fd8940211321
Opcode Fuzzy Hash: 14010a9e81822466f600e0fb9f3a3935ac5d9fe9aed94b61e2720ab476531cf0
Instruction Fuzzy Hash: 79418AB0D002188FCB10CFA9CA8579EBBF1FF48314F148529D815A7260DBB49846CF82

Uniqueness

Uniqueness Score: -1.00%

Function 07FF0298, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?), ref: 07FF036F

Memory Dump Source

Source File: 00000000.00000002.300839449.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 684c0bfeff124203bd85156bf7827d6b3e0eadaa323d1756e786ff48f4d133fe
Instruction ID: 5e82d9dd1bf5a2446067d7e03053485a4a02f26a88c994bf224774f1ac5a7d0a
Opcode Fuzzy Hash: 684c0bfeff124203bd85156bf7827d6b3e0eadaa323d1756e786ff48f4d133fe
Instruction Fuzzy Hash: EF3156B1D102198FCB10CFA9CA85B9EBBF5BF48314F18852AD815A7260DBB49845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 04EAF081, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 04EAF118

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ea3349a5dd72f586971adb77f7623c61c07c022053f3c4599600d36d2be5c713
Instruction ID: 438e86f998ee85a76b955c78a6aeb553a209a3c2e085da4d405a578786ad9120
Opcode Fuzzy Hash: ea3349a5dd72f586971adb77f7623c61c07c022053f3c4599600d36d2be5c713
Instruction Fuzzy Hash: 272146719002099FCF00CFA9C985BEEBBF5FF48314F10882AE918A7240C778A955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EAF088, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 04EAF118

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: eb74cc855d7a6f578fa452feb07a6edc1b0b926b6897616631debf2dd0a7cd0d
Instruction ID: 43833b5065928063e0601a6e61cf767cc8cac6446767d86a1bae86242bc7be56
Opcode Fuzzy Hash: eb74cc855d7a6f578fa452feb07a6edc1b0b926b6897616631debf2dd0a7cd0d
Instruction Fuzzy Hash: 7A2127759003099FCF10CFA9C985BEEBBF5FF48314F108829E919A7250D778A954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EAF170, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 04EAF1F8

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9bf1d26fac1efcbc29b1cd86cfdb550b863b7a0c3366edfc9d06497191d35e35
Instruction ID: 98c446317808da32c121f7fe340bb89a8df7f2c34b2ed1772a23fd88d99a11dd
Opcode Fuzzy Hash: 9bf1d26fac1efcbc29b1cd86cfdb550b863b7a0c3366edfc9d06497191d35e35
Instruction Fuzzy Hash: F22139718002099FDB00CFA9C9857EEFBF5FF48314F10882AD519A7250C7789945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EAEEE9, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 04EAEF6E

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b5377bca81e4fe2933fe8c9b0c6706243e29298c918164218aa1da84d071067a
Instruction ID: ee89df141b8d26271f9b0c3ee20771a733fa03cb57031768466eb642ca1f4123
Opcode Fuzzy Hash: b5377bca81e4fe2933fe8c9b0c6706243e29298c918164218aa1da84d071067a
Instruction Fuzzy Hash: 582149759003088FDB10DFA9C5857EEBBF4EF88368F14882ED519A7240CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EAF178, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 04EAF1F8

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cf57764687579e5db3eedc4f2e3682a493fef95c1d2977fb52aea78de1da823a
Instruction ID: 87de7864d971d80042aa3fd744b9028fbfdfc415d0d57ae195ff2cf5cc537ed7
Opcode Fuzzy Hash: cf57764687579e5db3eedc4f2e3682a493fef95c1d2977fb52aea78de1da823a
Instruction Fuzzy Hash: F72128B19002499FCB10CFA9C985BEEFBF5FF48314F50882AE519A7250C778A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EAEEF0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 04EAEF6E

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e0db2200fb5d867b01ba5cc3c110463a24ac053a2ce59ddda9c7cfa42ee31c81
Instruction ID: e608c487b46f861e94c99df5f0a3b6d254e5659c5f234b67d44e352977cbcc33
Opcode Fuzzy Hash: e0db2200fb5d867b01ba5cc3c110463a24ac053a2ce59ddda9c7cfa42ee31c81
Instruction Fuzzy Hash: 502129759003098FDB10DFAAC5857EEBBF4EF88368F148829D519A7240DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EAEFC1, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 04EAF036

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1fd34dd0d7e52a00fad4b9ae40f4a882acc70b54e6bc83340d881324d425e272
Instruction ID: 3455b945ea30da7aa96edc0d65d150305ab5a2d7a7e266b8a338465990bf9802
Opcode Fuzzy Hash: 1fd34dd0d7e52a00fad4b9ae40f4a882acc70b54e6bc83340d881324d425e272
Instruction Fuzzy Hash: 3E1159719002088FCF10DFA9C9457EFBBF5EF88324F148819D529A7210C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EAEFC8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 04EAF036

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9c38e3d6200a4888a745f53ad186f6f216abf4767cdc652c84a6961345c6c627
Instruction ID: 9f0b2ff400e9aa54e35d2354f9a81e51229f16d1ec893cf868c0b8c208114c0c
Opcode Fuzzy Hash: 9c38e3d6200a4888a745f53ad186f6f216abf4767cdc652c84a6961345c6c627
Instruction Fuzzy Hash: 171126769002089FCF10DFA9C945BEFBBF9AF88324F148819D629A7250C775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EAEE39, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 04EAEEA2

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2edf1ff1817dc7c456797f3ed1c0271c93d0168b55639bf0ce1f58cc6a9b332e
Instruction ID: 9dcaffce166834e604b31b6939089dd6d98979b87aeb9981042b2187bd7e9540
Opcode Fuzzy Hash: 2edf1ff1817dc7c456797f3ed1c0271c93d0168b55639bf0ce1f58cc6a9b332e
Instruction Fuzzy Hash: D81158B19002488BDB10DFA9C5557EFFBF4EF88324F14882AC529A7240C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EAEE40, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 04EAEEA2

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c41a77360ddcc4b2a18c02e25d4c33889ccfb2baaa890553d40e9005fb2d0fa4
Instruction ID: 90d4b97a36a5b04fedfdf811c30a00bfb29ff48d7e5ed58722b2a538a693aaf1
Opcode Fuzzy Hash: c41a77360ddcc4b2a18c02e25d4c33889ccfb2baaa890553d40e9005fb2d0fa4
Instruction Fuzzy Hash: B31128B19002488BDB14DFAAC5457EFFBF9EF88324F148819C519A7250C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07FF1E40, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07FF1EA5

Memory Dump Source

Source File: 00000000.00000002.300839449.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cc25ee8f230799fcc525631ec9810a3fefb97f4f55a3f5aca3538b8ddacf9f58
Instruction ID: a27d106ce874a197d1d2a006f01e82f599c65533dbfee5515f8dbb36b1bb68e4
Opcode Fuzzy Hash: cc25ee8f230799fcc525631ec9810a3fefb97f4f55a3f5aca3538b8ddacf9f58
Instruction Fuzzy Hash: 501122B5800249DFDB20CF99C485BEEBBF4FB48324F14895AD959A7610C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07FF1E48, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07FF1EA5

Memory Dump Source

Source File: 00000000.00000002.300839449.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a2fcbfeffb7a91980da8ddedfc9b889e7b90adbd3a41791a54735158e2cb6766
Instruction ID: 88ae37cc8833ae84b2174c6b9c64f6f14f08dbd023bf9e467f8234911d444fc5
Opcode Fuzzy Hash: a2fcbfeffb7a91980da8ddedfc9b889e7b90adbd3a41791a54735158e2cb6766
Instruction Fuzzy Hash: 4D11D3B58002499FDB20CF99C985BDEBBF8FB48324F148859D519A7610C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0096D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296773772.000000000096D000.00000040.00000001.sdmp, Offset: 0096D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04dd28ca32a98eb294b9ce723b81c7ead28a075899ad7122aba760e1c00f394
Instruction ID: 13d4acde9ec2a2097e53bcd5b7010786b60e6157ffe69077e3516a71f3c729e7
Opcode Fuzzy Hash: c04dd28ca32a98eb294b9ce723b81c7ead28a075899ad7122aba760e1c00f394
Instruction Fuzzy Hash: 0B216D71A00244DFDB00CF10C9C0F16BB69FB98324F24C969D8050F296C73AEC45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0097D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296788323.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9b5abb0eabf707642ede7015751a3ebe5125a1c71907f6b94e37f08e1b37a3
Instruction ID: 91b8010b4243fa342e0a07deb8d7401ecf74d1d9177acea82d64f728430ae1be
Opcode Fuzzy Hash: 7e9b5abb0eabf707642ede7015751a3ebe5125a1c71907f6b94e37f08e1b37a3
Instruction Fuzzy Hash: 8221F572605204DFDB05DF54D9C0B16BBB9FF84318F24C9A9D94D4B242C73AD846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0097D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296788323.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3957363d34658cff334c8a8430d933bebf808620d0b5220b84617d7c461dd88f
Instruction ID: 76e10c521a2b1b89ed1cbd8adffb80ce90072630b7cb46faa944e5d386a52668
Opcode Fuzzy Hash: 3957363d34658cff334c8a8430d933bebf808620d0b5220b84617d7c461dd88f
Instruction Fuzzy Hash: ED21F276505244DFDB14DF24D9C4B26BBB9FF84328F24C9A9D80D4B286C73AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0097D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296788323.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c374ecddd8ccc9902276285369511e53fe3ecfa4a2e6af43bf91c943f990840c
Instruction ID: b777059cee835c1772df1d6fa756249d70f6af56167ffebd47781977343a8904
Opcode Fuzzy Hash: c374ecddd8ccc9902276285369511e53fe3ecfa4a2e6af43bf91c943f990840c
Instruction Fuzzy Hash: D3214F755093808FCB12CF24D994715BF71AF46314F29C5DAD8498B6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0096D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296773772.000000000096D000.00000040.00000001.sdmp, Offset: 0096D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
Instruction ID: 1a027f83254f61881c8b33da815718db7c8b8e2824762018cc2678bbc0080213
Opcode Fuzzy Hash: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
Instruction Fuzzy Hash: FB11E676905280DFDF11CF14D5C4B16BF71FB94324F28C6A9D8094B666C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0097D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296788323.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe3a79b71d5a6ab5434c2c550ac10f7a27ed0520e362bee17f3833a5207920d
Instruction ID: 2e4e0bce508f9ce174cf3066699a1df4cfb759af02bf59dd53d9e6aebf9d6288
Opcode Fuzzy Hash: abe3a79b71d5a6ab5434c2c550ac10f7a27ed0520e362bee17f3833a5207920d
Instruction Fuzzy Hash: 28118B76505280DFDB11CF14D6C4B15BBB1FF84324F28C6ADD8494B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0096D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296773772.000000000096D000.00000040.00000001.sdmp, Offset: 0096D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5046dd767c7611278c303f2ec077653a2544daaea6ef20b790ef48cbeb5032
Instruction ID: a6e43fa0a17536b196184713c58895939aaec971617d140fc221cb36a8719e62
Opcode Fuzzy Hash: 1c5046dd767c7611278c303f2ec077653a2544daaea6ef20b790ef48cbeb5032
Instruction Fuzzy Hash: 0D0147B1A053409AE7104E66CD88BA6BBDCEF41334F18885AED280B242D7389C44CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0096D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296773772.000000000096D000.00000040.00000001.sdmp, Offset: 0096D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710b9054f61176fa0e170ce75855fd512162e2cf60858237d0a02ce60d3d6b1a
Instruction ID: 94c4c15d2f14b7690a8410db65e1fef44741fab249c3c06c5cde9655ed237cf8
Opcode Fuzzy Hash: 710b9054f61176fa0e170ce75855fd512162e2cf60858237d0a02ce60d3d6b1a
Instruction Fuzzy Hash: 03F0C2B25053449EE7108E16CD88B62FBDCEB41734F18C45AED180B286C3799844CAB2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04EA982A, Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

-, xrefs: 04EA9B41
EGm/, xrefs: 04EA9852

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID:
String ID: -$EGm/
API String ID: 0-2620138870
Opcode ID: 1b6296011e03d176be2e68dc59ad460453e4afea7d2001994dc54b845ba38a94
Instruction ID: 92c5b229336a5525022d4d42dc4df660f31d47f4379c194b613fe48640ef1713
Opcode Fuzzy Hash: 1b6296011e03d176be2e68dc59ad460453e4afea7d2001994dc54b845ba38a94
Instruction Fuzzy Hash: 02A1AAB0E506298FCB64CF69C9807CDBBF4FF89314F4085E5D198AA206EB309A95CF45

Uniqueness

Uniqueness Score: -1.00%

Function 04EADFD0, Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1983010524f9ea5c81af4c3de08de9336c10881f9e64526d3b7ae6b0510115b
Instruction ID: f66a86d3e766d0f7f0d3440c619b50844cf86588fec38cb2d7b2f07c27960a78
Opcode Fuzzy Hash: b1983010524f9ea5c81af4c3de08de9336c10881f9e64526d3b7ae6b0510115b
Instruction Fuzzy Hash: 34E15134B001089FDB14EFE8D854AAEB7F6EBC8304F1094A9D506AB359DB35BD51CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04EA3D41, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049288747a321ea370ddbf0f1ee14625afad6b29f50196e3dba0ed0ab1e63509
Instruction ID: 3d3d29072571953e6badf1bf85fd1da3cda84a56744cfd7dd0bf2b104a93fd7c
Opcode Fuzzy Hash: 049288747a321ea370ddbf0f1ee14625afad6b29f50196e3dba0ed0ab1e63509
Instruction Fuzzy Hash: E8D1D330C21A5ADBDB00EFA4D990699B3B1FFD5200F51CB9AD10A37215EB706ED5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04EA3D50, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b9e3fda2c01197eb0c00f495574f04ca9b78e6b23d606f54425afd018aa441
Instruction ID: 1f3d140bbad08c3b9f2b9ac49344dcc5b3f7b2f275159e3f79ef40dc8bacbaff
Opcode Fuzzy Hash: f6b9e3fda2c01197eb0c00f495574f04ca9b78e6b23d606f54425afd018aa441
Instruction Fuzzy Hash: 2CD1D230C21A5ADBDB10EFA4D990699B3B1FFD5200F51CB9AE10A37215EB706ED5CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04EA7628, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.298513461.0000000004EA0000.00000040.00000001.sdmp, Offset: 04EA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234719c16d31c4174939a34d188cbe874933eb828d2e27f3cc7e2bd602e5a65a
Instruction ID: 2a4e44f7044c812abb3e8429ccc29f19c21ccc82c2e9e58c989f613a245c4640
Opcode Fuzzy Hash: 234719c16d31c4174939a34d188cbe874933eb828d2e27f3cc7e2bd602e5a65a
Instruction Fuzzy Hash: 8D513D70E02208CFDB44EFA9E86069E7BF6EBC4304F04C869E509AB358DB756D459B61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 5516 Parent PID: 7132 RegSvcs.exeCOMMON

Executed Functions

Function 01949F90, Relevance: 1.7, APIs: 1, Instructions: 164clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(?,00000000,00000000,?,?), ref: 0194A15E

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: 49640321f1eefbe3ba1d5cfab8f008cfb82e6e80a969876ae9f6de33dd8de557
Instruction ID: ee9961a6ed5b61012fe8861f4f0c586c6a308ad963c12d34102130f1fe7b247a
Opcode Fuzzy Hash: 49640321f1eefbe3ba1d5cfab8f008cfb82e6e80a969876ae9f6de33dd8de557
Instruction Fuzzy Hash: F051D7317042459FEB129F68D854E6A3FB6FF9A204F048069FA1ACB352DB35CC06D751

Uniqueness

Uniqueness Score: -1.00%

Function 01946B7F, Relevance: 6.1, APIs: 4, Instructions: 147threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01946C10
GetCurrentThread.KERNEL32 ref: 01946C4D
GetCurrentProcess.KERNEL32 ref: 01946C8A
GetCurrentThreadId.KERNEL32 ref: 01946CE3

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f1fe61b9b8be1e6805beee21ea4fe656bd9b176b182d7bf66e88ad9bbbdd1267
Instruction ID: 6a97df78957f33d3fb0279ad570938b188e78824711968f2a72c3a1debaaf121
Opcode Fuzzy Hash: f1fe61b9b8be1e6805beee21ea4fe656bd9b176b182d7bf66e88ad9bbbdd1267
Instruction Fuzzy Hash: 285189B0D003498FDB14CFA9C949BDEBFF5EF8A314F14889AD119A7251D7349884CB66

Uniqueness

Uniqueness Score: -1.00%

Function 01946BB0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01946C10
GetCurrentThread.KERNEL32 ref: 01946C4D
GetCurrentProcess.KERNEL32 ref: 01946C8A
GetCurrentThreadId.KERNEL32 ref: 01946CE3

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0781a4cc592504af6b050cba34db8a7a1586f26cf274df09e0c861bf18e50352
Instruction ID: 6269928196381ff7757ce2fac51d6add03e0decda1290555d9a188aaf19d6d14
Opcode Fuzzy Hash: 0781a4cc592504af6b050cba34db8a7a1586f26cf274df09e0c861bf18e50352
Instruction Fuzzy Hash: E75146B0D002488FDB14CFA9D649BDEBBF5EF89314F208859E119A7350DB74A884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0194BDC8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0194BE52

Strings

U, xrefs: 0194BDD5

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: EncodePointer
String ID: U
API String ID: 2118026453-3372436214
Opcode ID: 0420d14ab439e2f1320713c3718553f34e9f7b825a4417848d88f4e1af706115
Instruction ID: e9b60b4ec8e7d7172770875315e12b2a9a2e846c4f2b4f489384344819f7998c
Opcode Fuzzy Hash: 0420d14ab439e2f1320713c3718553f34e9f7b825a4417848d88f4e1af706115
Instruction Fuzzy Hash: 8A21D1B18013458FDB21CFA9C945B9EBFF8FB45314F14886AD54AB7201C738A904CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01943EB8, Relevance: 1.8, APIs: 1, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4090383a74febf20ed0f8a1e2e81cafbc0aec6acdbad952e211f7599cb805943
Instruction ID: f621e7365f7dadcd746a3ae0d573a900f4cc5f04f6aa0d8b289fc696a91347d2
Opcode Fuzzy Hash: 4090383a74febf20ed0f8a1e2e81cafbc0aec6acdbad952e211f7599cb805943
Instruction Fuzzy Hash: DFA15C70B006018FDB14EF79D894A6EBBF6FF98204B148A6DD50ACB755DB34EC068B90

Uniqueness

Uniqueness Score: -1.00%

Function 0194516F, Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40f8ce1072287125c54499e40e0eca236f6ec1b34bab01e63c8aabfd3b8e442
Instruction ID: 4ffb77505c783470d12425dc48681b75c659df3fd10def7647f0fb94cf279bd8
Opcode Fuzzy Hash: c40f8ce1072287125c54499e40e0eca236f6ec1b34bab01e63c8aabfd3b8e442
Instruction Fuzzy Hash: 0B6112B1C04249AFDF16CFA9C844ACDBFB5BF49314F19816AE908AB221D3759845CF51

Uniqueness

Uniqueness Score: -1.00%

Function 019451F0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01945302

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7a4e687f509174f5fcc566e26d72ca974c2843dec45c384067dddfb756529f72
Instruction ID: 0094976fcdb0a112162f0f0e3b8aeb52a6eda9339c18cb2e6d6488e0d691a9c4
Opcode Fuzzy Hash: 7a4e687f509174f5fcc566e26d72ca974c2843dec45c384067dddfb756529f72
Instruction Fuzzy Hash: 3C41BDB1D00308DFEF14CF99C884ADEBBB5BF88314F25852AE919AB210D7B49845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019469C4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01947D61

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5821535521bd050524259012b3003f8bdac60ad4c40f31042423205f2450a045
Instruction ID: 9b0c55c5c9f20080d8cdda6927a7fce244640442f8679a6aa6c242c8cc54f308
Opcode Fuzzy Hash: 5821535521bd050524259012b3003f8bdac60ad4c40f31042423205f2450a045
Instruction Fuzzy Hash: 14411BB59103099FCB18CF99C448EAAFBF9FF88314F248859D559A7321D774A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01946DD3, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01946E5F

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ed47191d97534fccefb45fa28aa04ad76651bc43eb206257d542493ecfdd4c9d
Instruction ID: 02ef7721c8d025eb0d142cad6e3be9a2428d4d41a26431ce0df0abd2b7749272
Opcode Fuzzy Hash: ed47191d97534fccefb45fa28aa04ad76651bc43eb206257d542493ecfdd4c9d
Instruction Fuzzy Hash: E721C4B5900248AFDB10CFA9D984ADEFFF9EB48324F14841AE918A7350D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01946DD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01946E5F

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9b6483fc4a70f40d0647a9464bfdfc945296bdb4686088513ca47b9776a92d88
Instruction ID: 29abe8b9c04dc2542c837750bdc8b7bf05abe37c57bb8860cc45c2d0675fd91e
Opcode Fuzzy Hash: 9b6483fc4a70f40d0647a9464bfdfc945296bdb4686088513ca47b9776a92d88
Instruction Fuzzy Hash: 1721C4B59002489FDB10CFA9D984ADEFFF8EB48324F14841AE918A7310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01942F78, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01944276

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 12a663ee77f684a3edcee124fcba932ce6e761e02526ce56852dfecdf951338e
Instruction ID: e1256b489e798b3aed573ae428e8148a655a455b6e1a2088ee29e721509d5078
Opcode Fuzzy Hash: 12a663ee77f684a3edcee124fcba932ce6e761e02526ce56852dfecdf951338e
Instruction Fuzzy Hash: A32164B1C003488FCB10CF9AD444BDEFBF8EF89224F14886AD569A7600C378A445CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0194BDD8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0194BE52

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 06953838c23529343575bfae076b327044a264c3fbf473e86b0ce88f3e92260b
Instruction ID: e9367173cb37915bd78cfcdf977a96504cf7c531aba9d6d3936e392c2ba4d286
Opcode Fuzzy Hash: 06953838c23529343575bfae076b327044a264c3fbf473e86b0ce88f3e92260b
Instruction Fuzzy Hash: EC117F719013498FDB20DFA9C949B9EBFF8FB44314F108829D50AB3640C779A904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01942F8C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01944276

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9a3780166556199598e609c1aefe6291abe0a734b975a948e5ca2f6ed3fd820b
Instruction ID: d06a650c45516e1ffac38c49f015c50fdf7c95230c3a99724f6ad3c02c220d27
Opcode Fuzzy Hash: 9a3780166556199598e609c1aefe6291abe0a734b975a948e5ca2f6ed3fd820b
Instruction Fuzzy Hash: 1F11F0B5C006498FDB14CF9AD444BDEFBF8AB88224F14892AD529B7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0194420B, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01944276

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 65a7516089f318899ebb2c719c28b8217837d7a7fdea9bf3409b5a665e9eafca
Instruction ID: b9f640b529ad4f557eef9e07af145f232b79d18b8fd88f54f017e7b3085f74f1
Opcode Fuzzy Hash: 65a7516089f318899ebb2c719c28b8217837d7a7fdea9bf3409b5a665e9eafca
Instruction Fuzzy Hash: 611102B5C006498FDB14CF9AC844BDEFBF8AB88224F14852AD529B7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019441E0, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01944276

Memory Dump Source

Source File: 0000000A.00000002.550000663.0000000001940000.00000040.00000001.sdmp, Offset: 01940000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a3ba91ee504e26254350072e2d60c3b2f51a2531b9a9b35d007881624215ed65
Instruction ID: b19480519d2edd214b6215596db217d030e8066b73f7a1235558e90509ed931c
Opcode Fuzzy Hash: a3ba91ee504e26254350072e2d60c3b2f51a2531b9a9b35d007881624215ed65
Instruction Fuzzy Hash: 8C01A9B28006808FDB24CF8AD4003C9BFE0EF99229F28869AC05CAB212D3349056CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0168D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.548810792.000000000168D000.00000040.00000001.sdmp, Offset: 0168D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935d3512d3968a0b392bc1e43a005b152a3a00a94983db6aa860113b2c0a667b
Instruction ID: f6eba0143af37cd26828e5b6ded70d45af1941775a1a9e7fe9f1c30ff409d905
Opcode Fuzzy Hash: 935d3512d3968a0b392bc1e43a005b152a3a00a94983db6aa860113b2c0a667b
Instruction Fuzzy Hash: 0A210671504244DFDB11EF98DDC0B67BB65FB88328F2486A9D9050B386C336E856CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0169D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.548943371.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23b72af73986fd9b1a80a9024af8b7ff47073a0b7544969d533d073caad9695
Instruction ID: a6ea60f4793f7ea27c38336632f499fb017eb75b526e408eab40e07ea05941e6
Opcode Fuzzy Hash: c23b72af73986fd9b1a80a9024af8b7ff47073a0b7544969d533d073caad9695
Instruction Fuzzy Hash: AB210071504200DFDF15CFA8D9C4B26BBA9FB84364F24C9B9D80A0B386C73AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0169D006, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.548943371.000000000169D000.00000040.00000001.sdmp, Offset: 0169D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1fb43de83da262ed7db0e5a11931ca68aa3847bddc4e8a620e37ad5e08ae93
Instruction ID: 55b3f8c1fda1efc0d48dbddbb4befefeeb21de48f9638dc3290c4c51fc38e5b7
Opcode Fuzzy Hash: 3f1fb43de83da262ed7db0e5a11931ca68aa3847bddc4e8a620e37ad5e08ae93
Instruction Fuzzy Hash: E82180754083809FDB02CF54D994B11BFB5EB46314F24C5AAD8498B2A7C33A9846CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0168D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.548810792.000000000168D000.00000040.00000001.sdmp, Offset: 0168D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
Instruction ID: f957f3f71248d824a1a71dd72212cfba6887bdb2304af01e2bfbb00591f77802
Opcode Fuzzy Hash: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
Instruction Fuzzy Hash: 3611B176404280CFDB12DF54D9C4B16BF71FB88328F2486AAD8090B757C336D55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report kutipan langsung.14.10.2021.xlxs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Statistics

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre