Play interactive tour

Edit tour

Windows Analysis Report order - 922 - LongWay..exe

Overview

General Information

Sample Name:	order - 922 - LongWay..exe
Analysis ID:	553165
MD5:	b94edbaae4beeb37eaeaf525c8790cc9
SHA1:	6cf025acfd20344db3fdbb718ea2e9cfcce0285a
SHA256:	3cbf94c22af49ad9be152750428263c826c9b020036a0321f10f9fe2eed6ae52
Tags:	agentteslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

order - 922 - LongWay..exe (PID: 7140 cmdline: "C:\Users\user\Desktop\order - 922 - LongWay..exe" MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)

order - 922 - LongWay..exe (PID: 4864 cmdline: C:\Users\user\Desktop\order - 922 - LongWay..exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)

order - 922 - LongWay..exe (PID: 6580 cmdline: C:\Users\user\Desktop\order - 922 - LongWay..exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)

tKZVPq.exe (PID: 6964 cmdline: "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe" MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)

tKZVPq.exe (PID: 6872 cmdline: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)

tKZVPq.exe (PID: 6156 cmdline: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)

tKZVPq.exe (PID: 6172 cmdline: "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe" MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)

tKZVPq.exe (PID: 6040 cmdline: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)

tKZVPq.exe (PID: 2832 cmdline: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "finance@demo.jeninfo.com", "Password": "%e&qapQ3oNkx", "Host": "mail.demo.jeninfo.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.799658380.0000000002E51000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000A.00000002.799756430.0000000002E99000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000010.00000002.937803830.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.937803830.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000010.00000000.792245858.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000000.792245858.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.690833307.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.690833307.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000000.794380276.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000000.794380276.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.937763339.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.937763339.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000010.00000000.793098302.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000000.793098302.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.690098955.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.690098955.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000A.00000002.800614481.0000000003E59000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.800614481.0000000003E59000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.693824370.0000000002F91000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.689627196.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.689627196.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000F.00000002.804574549.0000000003609000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.804574549.0000000003609000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.693874329.0000000002FD9000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000F.00000002.803757871.0000000002601000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: order - 922 - LongWay..exe PID: 7140	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: order - 922 - LongWay..exe PID: 7140	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: order - 922 - LongWay..exe PID: 6580	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: order - 922 - LongWay..exe PID: 6580	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tKZVPq.exe PID: 6964	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tKZVPq.exe PID: 6964	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tKZVPq.exe PID: 6172	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tKZVPq.exe PID: 6172	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tKZVPq.exe PID: 6156	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tKZVPq.exe PID: 6156	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 40 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.tKZVPq.exe.3ee9a10.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.tKZVPq.exe.3ee9a10.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.order - 922 - LongWay..exe.2fc78a8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.0.order - 922 - LongWay..exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.order - 922 - LongWay..exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.order - 922 - LongWay..exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.order - 922 - LongWay..exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
16.0.tKZVPq.exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.0.tKZVPq.exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
15.2.tKZVPq.exe.36637f0.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.tKZVPq.exe.36637f0.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
16.0.tKZVPq.exe.400000.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.0.tKZVPq.exe.400000.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.2.tKZVPq.exe.2e878a4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
10.2.tKZVPq.exe.2e7f898.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.order - 922 - LongWay..exe.3ff37f0.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.order - 922 - LongWay..exe.3ff37f0.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.order - 922 - LongWay..exe.4029a10.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.order - 922 - LongWay..exe.4029a10.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
15.2.tKZVPq.exe.3699a10.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.tKZVPq.exe.3699a10.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.2.tKZVPq.exe.3eb37f0.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.tKZVPq.exe.3eb37f0.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
16.2.tKZVPq.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.tKZVPq.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
15.2.tKZVPq.exe.26378a4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
16.0.tKZVPq.exe.400000.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.0.tKZVPq.exe.400000.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.order - 922 - LongWay..exe.400000.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.order - 922 - LongWay..exe.400000.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.order - 922 - LongWay..exe.400000.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.order - 922 - LongWay..exe.400000.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
16.0.tKZVPq.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.0.tKZVPq.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.order - 922 - LongWay..exe.2fbf89c.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.0.order - 922 - LongWay..exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.order - 922 - LongWay..exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.order - 922 - LongWay..exe.3006700.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
16.0.tKZVPq.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.0.tKZVPq.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
15.2.tKZVPq.exe.262f898.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.order - 922 - LongWay..exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.order - 922 - LongWay..exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.2.tKZVPq.exe.2ec66f0.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
10.2.tKZVPq.exe.3ee9a10.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.tKZVPq.exe.3ee9a10.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
15.2.tKZVPq.exe.3699a10.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.tKZVPq.exe.3699a10.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
15.2.tKZVPq.exe.36637f0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.tKZVPq.exe.36637f0.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.order - 922 - LongWay..exe.3ff37f0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.order - 922 - LongWay..exe.3ff37f0.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.2.tKZVPq.exe.3eb37f0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.tKZVPq.exe.3eb37f0.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.order - 922 - LongWay..exe.4029a10.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.order - 922 - LongWay..exe.4029a10.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 51 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.0.order - 922 - LongWay..exe.400000.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "finance@demo.jeninfo.com", "Password": "%e&qapQ3oNkx", "Host": "mail.demo.jeninfo.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: order - 922 - LongWay..exe

ReversingLabs: Detection: 18%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe

ReversingLabs: Detection: 18%

Machine Learning detection for sample

Show sources

Source: order - 922 - LongWay..exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe

Joe Sandbox ML: detected

Source: 5.0.order - 922 - LongWay..exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.order - 922 - LongWay..exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.tKZVPq.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.tKZVPq.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.order - 922 - LongWay..exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.2.tKZVPq.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.tKZVPq.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.order - 922 - LongWay..exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.tKZVPq.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.order - 922 - LongWay..exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.tKZVPq.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.order - 922 - LongWay..exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: order - 922 - LongWay..exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: order - 922 - LongWay..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: IAssemblyEn.pdb source: tKZVPq.exe, tKZVPq.exe, 0000000B.00000000.778393250.00000000001F0000.00000002.00020000.sdmp, tKZVPq.exe, 0000000F.00000000.784812010.0000000000250000.00000002.00020000.sdmp, tKZVPq.exe, 00000010.00000002.938319196.0000000000670000.00000002.00020000.sdmp, tKZVPq.exe, 00000011.00000000.796641075.0000000000230000.00000002.00020000.sdmp, tKZVPq.exe, 00000012.00000000.801051583.00000000001B0000.00000002.00020000.sdmp, order - 922 - LongWay..exe, tKZVPq.exe.5.dr

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49836 -> 103.195.185.115:587

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	IP Address: 103.195.185.115 103.195.185.115
Source: Joe Sandbox View	IP Address: 103.195.185.115 103.195.185.115

Source: global traffic

TCP traffic: 192.168.2.4:49836 -> 103.195.185.115:587

Source: global traffic

TCP traffic: 192.168.2.4:49836 -> 103.195.185.115:587

Source: order - 922 - LongWay..exe, 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://BmacPT.com
Source: tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: order - 922 - LongWay..exe, 00000005.00000002.942341689.0000000002D19000.00000004.00000001.sdmp	String found in binary or memory: http://demo.jeninfo.com
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: order - 922 - LongWay..exe, 00000005.00000002.942341689.0000000002D19000.00000004.00000001.sdmp	String found in binary or memory: http://mail.demo.jeninfo.com
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: order - 922 - LongWay..exe, 00000005.00000002.942341689.0000000002D19000.00000004.00000001.sdmp, order - 922 - LongWay..exe, 00000005.00000003.900788964.0000000000B04000.00000004.00000001.sdmp	String found in binary or memory: http://zBBI0wGzrhieBOwCO9P.net
Source: order - 922 - LongWay..exe, 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp, order - 922 - LongWay..exe, 00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmp, order - 922 - LongWay..exe, 00000005.00000000.689627196.0000000000402000.00000040.00000001.sdmp, tKZVPq.exe, 0000000A.00000002.800614481.0000000003E59000.00000004.00000001.sdmp, tKZVPq.exe, 0000000F.00000002.804574549.0000000003609000.00000004.00000001.sdmp, tKZVPq.exe, 00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmp, tKZVPq.exe, 00000010.00000002.937803830.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: order - 922 - LongWay..exe, 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: mail.demo.jeninfo.com

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: order - 922 - LongWay..exe

.NET source code contains very large array initializations

Show sources

Source: 5.0.order - 922 - LongWay..exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC54C654Du002d1F0Bu002d446Bu002dAC5Du002d65F74970AA45u007d/B2F568B2u002d973Eu002d45AEu002dA54Fu002d2E80459E8E64.cs	Large array initialization: .cctor: array initializer size 11940
Source: 5.0.order - 922 - LongWay..exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bC54C654Du002d1F0Bu002d446Bu002dAC5Du002d65F74970AA45u007d/B2F568B2u002d973Eu002d45AEu002dA54Fu002d2E80459E8E64.cs	Large array initialization: .cctor: array initializer size 11940

Source: order - 922 - LongWay..exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 0_2_0154C974	0_2_0154C974
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 0_2_0154EDB8	0_2_0154EDB8
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 0_2_0154EDA8	0_2_0154EDA8
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 0_2_075E2A98	0_2_075E2A98
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 0_2_075EC078	0_2_075EC078
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00BA11E2	5_2_00BA11E2
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00BA1140	5_2_00BA1140
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00BA9BF0	5_2_00BA9BF0
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00BA5D38	5_2_00BA5D38
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00BA6479	5_2_00BA6479
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00BA6578	5_2_00BA6578
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00C07100	5_2_00C07100
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00C059E0	5_2_00C059E0
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00C0BC68	5_2_00C0BC68
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00C847A0	5_2_00C847A0
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00C83CCC	5_2_00C83CCC
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00C84790	5_2_00C84790
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00C84772	5_2_00C84772
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00C85490	5_2_00C85490
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Code function: 10_2_0140C974	10_2_0140C974
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Code function: 10_2_0140EDB3	10_2_0140EDB3
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Code function: 10_2_0140EDB8	10_2_0140EDB8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Code function: 10_2_08A72A98	10_2_08A72A98
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Code function: 10_2_08A7BEFC	10_2_08A7BEFC

Source: order - 922 - LongWay..exe	Binary or memory string: OriginalFilename vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe, 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFyKnTqyFcfLHrgHTrTGrmHWnBuhJPDMQ.exe4 vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe, 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe, 00000000.00000002.692736168.0000000000B60000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIAssemblyEn.exe0 vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe, 00000000.00000002.693824370.0000000002F91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFyKnTqyFcfLHrgHTrTGrmHWnBuhJPDMQ.exe4 vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe, 00000000.00000002.697257201.0000000007460000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe	Binary or memory string: OriginalFilename vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe, 00000004.00000000.684955126.0000000000130000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIAssemblyEn.exe0 vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe	Binary or memory string: OriginalFilename vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe, 00000005.00000000.687068836.00000000004E0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIAssemblyEn.exe0 vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe, 00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameFyKnTqyFcfLHrgHTrTGrmHWnBuhJPDMQ.exe4 vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe, 00000005.00000002.938235618.00000000008F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe, 00000005.00000002.939413626.0000000000CAA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs order - 922 - LongWay..exe
Source: order - 922 - LongWay..exe	Binary or memory string: OriginalFilenameIAssemblyEn.exe0 vs order - 922 - LongWay..exe

Source: order - 922 - LongWay..exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tKZVPq.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: order - 922 - LongWay..exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

File read: C:\Users\user\Desktop\order - 922 - LongWay..exe

Jump to behavior

Source: order - 922 - LongWay..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order - 922 - LongWay..exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@15/5@2/1

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: 5.0.order - 922 - LongWay..exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.order - 922 - LongWay..exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.order - 922 - LongWay..exe.400000.8.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.order - 922 - LongWay..exe.400000.8.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: order - 922 - LongWay..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: order - 922 - LongWay..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: order - 922 - LongWay..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: order - 922 - LongWay..exe, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.order - 922 - LongWay..exe.b50000.0.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.order - 922 - LongWay..exe.b50000.0.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.order - 922 - LongWay..exe.120000.0.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.order - 922 - LongWay..exe.120000.1.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.order - 922 - LongWay..exe.120000.3.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.order - 922 - LongWay..exe.120000.0.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.order - 922 - LongWay..exe.120000.2.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: tKZVPq.exe.5.dr, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.order - 922 - LongWay..exe.4d0000.1.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.order - 922 - LongWay..exe.4d0000.11.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.order - 922 - LongWay..exe.4d0000.3.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.order - 922 - LongWay..exe.4d0000.5.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.order - 922 - LongWay..exe.4d0000.0.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.order - 922 - LongWay..exe.4d0000.7.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.order - 922 - LongWay..exe.4d0000.2.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.order - 922 - LongWay..exe.4d0000.1.unpack, aL/Jj.cs	.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: order - 922 - LongWay..exe, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 0.0.order - 922 - LongWay..exe.b50000.0.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 0.2.order - 922 - LongWay..exe.b50000.0.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 4.2.order - 922 - LongWay..exe.120000.0.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 4.0.order - 922 - LongWay..exe.120000.1.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 4.0.order - 922 - LongWay..exe.120000.3.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 4.0.order - 922 - LongWay..exe.120000.0.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 4.0.order - 922 - LongWay..exe.120000.2.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: tKZVPq.exe.5.dr, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 5.2.order - 922 - LongWay..exe.4d0000.1.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 5.0.order - 922 - LongWay..exe.4d0000.11.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 5.0.order - 922 - LongWay..exe.4d0000.3.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 5.0.order - 922 - LongWay..exe.4d0000.5.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 5.0.order - 922 - LongWay..exe.4d0000.0.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 5.0.order - 922 - LongWay..exe.4d0000.7.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 5.0.order - 922 - LongWay..exe.4d0000.2.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
Source: 5.0.order - 922 - LongWay..exe.4d0000.1.unpack, aL/Jj.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Code function: 5_2_00C86B2F push ebx; retn 0000h	5_2_00C86B3A
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Code function: 10_2_0140400B push edi; iretd	10_2_01404012
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Code function: 10_2_01409268 pushfd ; iretd	10_2_014094BA
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Code function: 10_2_014094BB pushfd ; iretd	10_2_014094C2
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Code function: 10_2_01403F11 push ebx; iretd	10_2_01403F12

Source: initial sample	Static PE information: section name: .text entropy: 7.23077923156
Source: initial sample	Static PE information: section name: .text entropy: 7.23077923156

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

File created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe

Jump to dropped file

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tKZVPq			Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tKZVPq			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

File opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.2fc78a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tKZVPq.exe.2e878a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tKZVPq.exe.2e7f898.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.tKZVPq.exe.26378a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.2fbf89c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.3006700.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.tKZVPq.exe.262f898.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tKZVPq.exe.2ec66f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.799658380.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.799756430.0000000002E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.693824370.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.693874329.0000000002FD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.803757871.0000000002601000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order - 922 - LongWay..exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tKZVPq.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tKZVPq.exe PID: 6172, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: order - 922 - LongWay..exe, 00000000.00000002.693874329.0000000002FD9000.00000004.00000001.sdmp, order - 922 - LongWay..exe, 00000000.00000002.693824370.0000000002F91000.00000004.00000001.sdmp, tKZVPq.exe, 0000000A.00000002.799658380.0000000002E51000.00000004.00000001.sdmp, tKZVPq.exe, 0000000A.00000002.799756430.0000000002E99000.00000004.00000001.sdmp, tKZVPq.exe, 0000000F.00000002.803757871.0000000002601000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: order - 922 - LongWay..exe, 00000000.00000002.693874329.0000000002FD9000.00000004.00000001.sdmp, order - 922 - LongWay..exe, 00000000.00000002.693824370.0000000002F91000.00000004.00000001.sdmp, tKZVPq.exe, 0000000A.00000002.799658380.0000000002E51000.00000004.00000001.sdmp, tKZVPq.exe, 0000000A.00000002.799756430.0000000002E99000.00000004.00000001.sdmp, tKZVPq.exe, 0000000F.00000002.803757871.0000000002601000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe TID: 7144	Thread sleep time: -37263s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe TID: 2224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe TID: 4344	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe TID: 6664	Thread sleep count: 1671 > 30	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe TID: 6664	Thread sleep count: 8176 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 6848	Thread sleep time: -33761s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 7012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 6164	Thread sleep time: -39612s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 5468	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 5332	Thread sleep count: 7200 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 5332	Thread sleep count: 2650 > 30	Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Window / User API: threadDelayed 1671	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Window / User API: threadDelayed 8176	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Window / User API: threadDelayed 7200	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Window / User API: threadDelayed 2650	Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Thread delayed: delay time: 37263	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Thread delayed: delay time: 33761	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Thread delayed: delay time: 39612	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: tKZVPq.exe, 0000000F.00000002.803757871.0000000002601000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: tKZVPq.exe, 0000000F.00000002.803757871.0000000002601000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tKZVPq.exe, 0000000F.00000002.803757871.0000000002601000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: order - 922 - LongWay..exe, 00000005.00000002.939551842.0000000000D1D000.00000004.00000020.sdmp, order - 922 - LongWay..exe, 00000005.00000003.930537502.0000000000D65000.00000004.00000001.sdmp, order - 922 - LongWay..exe, 00000005.00000003.930391489.0000000000D65000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tKZVPq.exe, 0000000F.00000002.803757871.0000000002601000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

Code function: 5_2_00BAB158 LdrInitializeThunk,

5_2_00BAB158

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Memory written: C:\Users\user\Desktop\order - 922 - LongWay..exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Memory written: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process created: C:\Users\user\Desktop\order - 922 - LongWay..exe C:\Users\user\Desktop\order - 922 - LongWay..exe	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Process created: C:\Users\user\Desktop\order - 922 - LongWay..exe C:\Users\user\Desktop\order - 922 - LongWay..exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Jump to behavior

Source: order - 922 - LongWay..exe, 00000005.00000002.940159154.0000000001300000.00000002.00020000.sdmp, tKZVPq.exe, 00000010.00000002.939940128.00000000015D0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: order - 922 - LongWay..exe, 00000005.00000002.940159154.0000000001300000.00000002.00020000.sdmp, tKZVPq.exe, 00000010.00000002.939940128.00000000015D0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: order - 922 - LongWay..exe, 00000005.00000002.940159154.0000000001300000.00000002.00020000.sdmp, tKZVPq.exe, 00000010.00000002.939940128.00000000015D0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: order - 922 - LongWay..exe, 00000005.00000002.940159154.0000000001300000.00000002.00020000.sdmp, tKZVPq.exe, 00000010.00000002.939940128.00000000015D0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Users\user\Desktop\order - 922 - LongWay..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Users\user\Desktop\order - 922 - LongWay..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 10.2.tKZVPq.exe.3ee9a10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.order - 922 - LongWay..exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.order - 922 - LongWay..exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.tKZVPq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.tKZVPq.exe.36637f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.tKZVPq.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.3ff37f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.4029a10.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.tKZVPq.exe.3699a10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tKZVPq.exe.3eb37f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.tKZVPq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.tKZVPq.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.order - 922 - LongWay..exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.order - 922 - LongWay..exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.tKZVPq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.order - 922 - LongWay..exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.tKZVPq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.order - 922 - LongWay..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tKZVPq.exe.3ee9a10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.tKZVPq.exe.3699a10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.tKZVPq.exe.36637f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.3ff37f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tKZVPq.exe.3eb37f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.4029a10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.937803830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.792245858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.690833307.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.794380276.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.937763339.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.793098302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.690098955.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.800614481.0000000003E59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.689627196.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.804574549.0000000003609000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order - 922 - LongWay..exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order - 922 - LongWay..exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tKZVPq.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tKZVPq.exe PID: 6172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tKZVPq.exe PID: 6156, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\order - 922 - LongWay..exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order - 922 - LongWay..exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tKZVPq.exe PID: 6156, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 10.2.tKZVPq.exe.3ee9a10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.order - 922 - LongWay..exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.order - 922 - LongWay..exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.tKZVPq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.tKZVPq.exe.36637f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.tKZVPq.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.3ff37f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.4029a10.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.tKZVPq.exe.3699a10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tKZVPq.exe.3eb37f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.tKZVPq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.tKZVPq.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.order - 922 - LongWay..exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.order - 922 - LongWay..exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.tKZVPq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.order - 922 - LongWay..exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.tKZVPq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.order - 922 - LongWay..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tKZVPq.exe.3ee9a10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.tKZVPq.exe.3699a10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.tKZVPq.exe.36637f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.3ff37f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tKZVPq.exe.3eb37f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order - 922 - LongWay..exe.4029a10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.937803830.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.792245858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.690833307.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.794380276.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.937763339.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.793098302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.690098955.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.800614481.0000000003E59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.689627196.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.804574549.0000000003609000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order - 922 - LongWay..exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order - 922 - LongWay..exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tKZVPq.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tKZVPq.exe PID: 6172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tKZVPq.exe PID: 6156, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Process Injection112	File and Directory Permissions Modification1	OS Credential Dumping2	System Information Discovery114	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Disable or Modify Tools1	Credentials in Registry1	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery311	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing23	LSA Secrets	Virtualization/Sandbox Evasion131	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion131	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
order - 922 - LongWay..exe	19%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
order - 922 - LongWay..exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe	19%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.order - 922 - LongWay..exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.order - 922 - LongWay..exe.400000.8.unpack	100%	Avira	TR/Spy.Gen8	Download File
16.0.tKZVPq.exe.400000.8.unpack	100%	Avira	TR/Spy.Gen8	Download File
16.0.tKZVPq.exe.400000.12.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.order - 922 - LongWay..exe.400000.10.unpack	100%	Avira	TR/Spy.Gen8	Download File
16.2.tKZVPq.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
16.0.tKZVPq.exe.400000.10.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.order - 922 - LongWay..exe.400000.12.unpack	100%	Avira	TR/Spy.Gen8	Download File
16.0.tKZVPq.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.order - 922 - LongWay..exe.400000.6.unpack	100%	Avira	TR/Spy.Gen8	Download File
16.0.tKZVPq.exe.400000.6.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.2.order - 922 - LongWay..exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://BmacPT.com	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://demo.jeninfo.com	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://mail.demo.jeninfo.com	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://zBBI0wGzrhieBOwCO9P.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
demo.jeninfo.com	103.195.185.115	true	true		unknown
mail.demo.jeninfo.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	order - 922 - LongWay..exe, 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	order - 922 - LongWay..exe, 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://BmacPT.com	tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false		high
http://www.tiro.com	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://demo.jeninfo.com	order - 922 - LongWay..exe, 00000005.00000002.942341689.0000000002D19000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false		high
http://mail.demo.jeninfo.com	order - 922 - LongWay..exe, 00000005.00000002.942341689.0000000002D19000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	order - 922 - LongWay..exe, 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp, order - 922 - LongWay..exe, 00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmp, order - 922 - LongWay..exe, 00000005.00000000.689627196.0000000000402000.00000040.00000001.sdmp, tKZVPq.exe, 0000000A.00000002.800614481.0000000003E59000.00000004.00000001.sdmp, tKZVPq.exe, 0000000F.00000002.804574549.0000000003609000.00000004.00000001.sdmp, tKZVPq.exe, 00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmp, tKZVPq.exe, 00000010.00000002.937803830.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://zBBI0wGzrhieBOwCO9P.net	order - 922 - LongWay..exe, 00000005.00000002.942341689.0000000002D19000.00000004.00000001.sdmp, order - 922 - LongWay..exe, 00000005.00000003.900788964.0000000000B04000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.195.185.115	demo.jeninfo.com	India		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553165
Start date:	14.01.2022
Start time:	12:20:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	order - 922 - LongWay..exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@15/5@2/1
EGA Information:	Successful, ratio: 60%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 86 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, teams-ring.msedge.net, arc.msn.com, t-ring.msedge.net Execution Graph export aborted for target order - 922 - LongWay..exe, PID 4864 because there are no executed function Execution Graph export aborted for target tKZVPq.exe, PID 6872 because there are no executed function Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: order - 922 - LongWay..exe

Simulations

Behavior and APIs

Time	Type	Description
12:21:26	API Interceptor	721x Sleep call for process: order - 922 - LongWay..exe modified
12:21:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tKZVPq C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
12:22:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run tKZVPq C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
12:22:08	API Interceptor	365x Sleep call for process: tKZVPq.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.195.185.115	http://pimpackaging.com/js/505.htm	Get hash	malicious	Browse	pimpackaging.com/js/favicon.ico
	14_output76EEB60.exe	Get hash	malicious	Browse	tikonainternetservices.co.in/assets/img/png/evif/fre.php
	56_outputFAF073F.exe	Get hash	malicious	Browse	tikonainternetservices.co.in/assets/img/png/evif/fre.php
	1jjjjjj_output513A770.exe	Get hash	malicious	Browse	tikonainternetservices.co.in/assets/img/png/evif/fre.php
	15rm_outputA1B309F.exe	Get hash	malicious	Browse	tikonainternetservices.co.in/assets/img/png/evif/fre.php
	http://www.wahathalwancontracting.com/Rechnungen/012019	Get hash	malicious	Browse	www.wahathalwancontracting.com/Rechnungen/012019/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	14073.pdf.exe	Get hash	malicious	Browse	208.91.199.224
	MSC INVOICE.exe	Get hash	malicious	Browse	208.91.199.225
	Purchase order. pdf...............exe	Get hash	malicious	Browse	204.11.58.87
	ihJ4eSV1of.exe	Get hash	malicious	Browse	199.79.62.173
	2m8MSMXDrk.exe	Get hash	malicious	Browse	208.91.199.223
	5ran1YfzyG.exe	Get hash	malicious	Browse	208.91.198.143
	Order.exe	Get hash	malicious	Browse	208.91.198.143
	MSC INVOICE.xlsx	Get hash	malicious	Browse	208.91.198.143
	PAYMENT.exe	Get hash	malicious	Browse	208.91.199.233
	epda.exe	Get hash	malicious	Browse	162.251.85.134
	Inquiry No- SEUAD31501TE9.xlsx	Get hash	malicious	Browse	208.91.199.224
	Bank Copy.exe	Get hash	malicious	Browse	208.91.199.223
	DHL 7538822557.exe	Get hash	malicious	Browse	208.91.199.224
	DHL 7594848433.exe	Get hash	malicious	Browse	208.91.199.223
	EPDA.exe	Get hash	malicious	Browse	162.251.85.134
	PO#1100010378.exe	Get hash	malicious	Browse	208.91.198.143
	DEBIT NOTE.exe	Get hash	malicious	Browse	162.251.85.134
	SWIFT COPY.exe	Get hash	malicious	Browse	208.91.199.233
	val-1340258608.xlsb	Get hash	malicious	Browse	119.18.58.80
	val-1340258608.xlsb	Get hash	malicious	Browse	119.18.58.80

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order - 922 - LongWay..exe.log Download File
Process:	C:\Users\user\Desktop\order - 922 - LongWay..exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
MD5:	A9EFF9253CAF99EC8665E41D736DDAED
SHA1:	D95BB4ABC856D774DA4602A59DE252B4BF560530
SHA-256:	DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
SHA-512:	96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tKZVPq.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
MD5:	A9EFF9253CAF99EC8665E41D736DDAED
SHA1:	D95BB4ABC856D774DA4602A59DE252B4BF560530
SHA-256:	DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
SHA-512:	96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Download File
Process:	C:\Users\user\Desktop\order - 922 - LongWay..exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	588800
Entropy (8bit):	7.220864968798315
Encrypted:	false
SSDEEP:	12288:cK777777777777N7WPHwXeuJov4caKgoYI2sGWJgzQ+5zFinIuv0gq:cK777777777777lWNqovPaKgoYOfe95E
MD5:	B94EDBAAE4BEEB37EAEAF525C8790CC9
SHA1:	6CF025ACFD20344DB3FDBB718EA2E9CFCCE0285A
SHA-256:	3CBF94C22AF49AD9BE152750428263C826C9B020036A0321F10F9FE2EED6AE52
SHA-512:	DBADA1291A160B5A74ABD861E422FC247A5641139E639F4BF25269785EF09DDA03B6DFF0DE673078E1B8856474E7F8363964F83F05E0B9DA443BE2E516348D45
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 19%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.a................................. ... ....@.. .......................`............@.................................p...K.... .......................@......'................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......\f..........E.......+{............................................{...."..}.........{...."..}.........{...."..}.........{...."..}.........{...."..}........0.......... ........8.....9.... ....(....:....8....8....r...p.. ....8......(..... ........8.....(..... ........8....8....r...p.(...... ........8a.....(....9.... ........8G...8U...rC..p.(...... ........8'...85...rw..p.(...... ........8.....(.......(....:.... ........8....r...p.(.......(....:....~....8.....(

C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\order - 922 - LongWay..exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Users\user\Desktop\order - 922 - LongWay..exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	846
Entropy (8bit):	4.712383132025728
Encrypted:	false
SSDEEP:	24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcB
MD5:	5B2D17233558878A82EE464D04F58B59
SHA1:	47EBFFCAD0B4C358DF0D6A06EF335CB6AAB0AB20
SHA-256:	5B036588BB4CAD3DE01DD04988AF705DA135D9F394755080CF9941444C09A542
SHA-512:	D2AEC9779EB8803514213A8E396B2F7C0B4A6F57DE1EE84E9DB0343EE5FF093E26BB70E0737A6681E21E88898EF5139969FF0B4B700CB6727979BD898FDBC85B
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1..127.0.0.1

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.220864968798315
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	order - 922 - LongWay..exe
File size:	588800
MD5:	b94edbaae4beeb37eaeaf525c8790cc9
SHA1:	6cf025acfd20344db3fdbb718ea2e9cfcce0285a
SHA256:	3cbf94c22af49ad9be152750428263c826c9b020036a0321f10f9fe2eed6ae52
SHA512:	dbada1291a160b5a74abd861e422fc247a5641139e639f4bf25269785ef09dda03b6dff0de673078e1b8856474e7f8363964f83f05e0b9da443be2e516348d45
SSDEEP:	12288:cK777777777777N7WPHwXeuJov4caKgoYI2sGWJgzQ+5zFinIuv0gq:cK777777777777lWNqovPaKgoYOfe95E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.a................................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4910be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61E136E4 [Fri Jan 14 08:40:04 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x91070	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x91027	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8f0c4	0x8f200	False	0.754344637009	data	7.23077923156	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x5d4	0x600	False	0.432291666667	data	4.15450499836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x920a0	0x346	data
RT_MANIFEST	0x923e8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	2022 Tradewell
Assembly Version	22.0.0.0
InternalName	IAssemblyEn.exe
FileVersion	1.1.0.0
CompanyName	Tradewell ltd
LegalTrademarks
Comments	Purple Org
ProductName	Blaster
ProductVersion	1.1.0.0
FileDescription	Blaster
OriginalFilename	IAssemblyEn.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/14/22-12:23:21.061423	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49836	587	192.168.2.4	103.195.185.115

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 12:23:17.543920994 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:17.686952114 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:17.687144041 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:19.413824081 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:19.414210081 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:19.559987068 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:19.560966015 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:19.704035044 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:19.704602957 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:19.887617111 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:20.626800060 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:20.627672911 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:20.770514965 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:20.771007061 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:20.915868998 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:20.917112112 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:21.060069084 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:21.060147047 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:21.061423063 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:21.061635017 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:21.062443972 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:21.062560081 CET	49836	587	192.168.2.4	103.195.185.115
Jan 14, 2022 12:23:21.209837914 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:21.211560965 CET	587	49836	103.195.185.115	192.168.2.4
Jan 14, 2022 12:23:21.257317066 CET	49836	587	192.168.2.4	103.195.185.115

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 12:23:16.264816046 CET	56534	53	192.168.2.4	8.8.8.8
Jan 14, 2022 12:23:16.645492077 CET	53	56534	8.8.8.8	192.168.2.4
Jan 14, 2022 12:23:17.025857925 CET	56627	53	192.168.2.4	8.8.8.8
Jan 14, 2022 12:23:17.419145107 CET	53	56627	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 14, 2022 12:23:16.264816046 CET	192.168.2.4	8.8.8.8	0x1d69	Standard query (0)	mail.demo.jeninfo.com	A (IP address)	IN (0x0001)
Jan 14, 2022 12:23:17.025857925 CET	192.168.2.4	8.8.8.8	0x2c4f	Standard query (0)	mail.demo.jeninfo.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 14, 2022 12:23:16.645492077 CET	8.8.8.8	192.168.2.4	0x1d69	No error (0)	mail.demo.jeninfo.com	demo.jeninfo.com		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2022 12:23:16.645492077 CET	8.8.8.8	192.168.2.4	0x1d69	No error (0)	demo.jeninfo.com		103.195.185.115	A (IP address)	IN (0x0001)
Jan 14, 2022 12:23:17.419145107 CET	8.8.8.8	192.168.2.4	0x2c4f	No error (0)	mail.demo.jeninfo.com	demo.jeninfo.com		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2022 12:23:17.419145107 CET	8.8.8.8	192.168.2.4	0x2c4f	No error (0)	demo.jeninfo.com		103.195.185.115	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 14, 2022 12:23:19.413824081 CET	587	49836	103.195.185.115	192.168.2.4	220-bh-in-22.webhostbox.net ESMTP Exim 4.94.2 #2 Fri, 14 Jan 2022 11:23:19 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 14, 2022 12:23:19.414210081 CET	49836	587	192.168.2.4	103.195.185.115	EHLO 179605
Jan 14, 2022 12:23:19.559987068 CET	587	49836	103.195.185.115	192.168.2.4	250-bh-in-22.webhostbox.net Hello 179605 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 14, 2022 12:23:19.560966015 CET	49836	587	192.168.2.4	103.195.185.115	AUTH login ZmluYW5jZUBkZW1vLmplbmluZm8uY29t
Jan 14, 2022 12:23:19.704035044 CET	587	49836	103.195.185.115	192.168.2.4	334 UGFzc3dvcmQ6
Jan 14, 2022 12:23:20.626800060 CET	587	49836	103.195.185.115	192.168.2.4	235 Authentication succeeded
Jan 14, 2022 12:23:20.627672911 CET	49836	587	192.168.2.4	103.195.185.115	MAIL FROM:<finance@demo.jeninfo.com>
Jan 14, 2022 12:23:20.770514965 CET	587	49836	103.195.185.115	192.168.2.4	250 OK
Jan 14, 2022 12:23:20.771007061 CET	49836	587	192.168.2.4	103.195.185.115	RCPT TO:<finance@demo.jeninfo.com>
Jan 14, 2022 12:23:20.915868998 CET	587	49836	103.195.185.115	192.168.2.4	250 Accepted
Jan 14, 2022 12:23:20.917112112 CET	49836	587	192.168.2.4	103.195.185.115	DATA
Jan 14, 2022 12:23:21.060147047 CET	587	49836	103.195.185.115	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jan 14, 2022 12:23:21.062560081 CET	49836	587	192.168.2.4	103.195.185.115	.
Jan 14, 2022 12:23:21.211560965 CET	587	49836	103.195.185.115	192.168.2.4	250 OK id=1n8Kfw-001sYR-W4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: order - 922 - LongWay..exe PID: 7140 Parent PID: 3512

General

Start time:	12:21:18
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\order - 922 - LongWay..exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\order - 922 - LongWay..exe"
Imagebase:	0xb50000
File size:	588800 bytes
MD5 hash:	B94EDBAAE4BEEB37EAEAF525C8790CC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.693824370.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.693874329.0000000002FD9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: order - 922 - LongWay..exe PID: 4864 Parent PID: 7140

General

Start time:	12:21:26
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\order - 922 - LongWay..exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\order - 922 - LongWay..exe
Imagebase:	0x120000
File size:	588800 bytes
MD5 hash:	B94EDBAAE4BEEB37EAEAF525C8790CC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: order - 922 - LongWay..exe PID: 6580 Parent PID: 7140

General

Start time:	12:21:27
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\order - 922 - LongWay..exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\order - 922 - LongWay..exe
Imagebase:	0x4d0000
File size:	588800 bytes
MD5 hash:	B94EDBAAE4BEEB37EAEAF525C8790CC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.690833307.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.690833307.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.937763339.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.937763339.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.690098955.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.690098955.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.689627196.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.689627196.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: tKZVPq.exe PID: 6964 Parent PID: 3424

General

Start time:	12:22:05
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
Imagebase:	0xa50000
File size:	588800 bytes
MD5 hash:	B94EDBAAE4BEEB37EAEAF525C8790CC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.799658380.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.799756430.0000000002E99000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.800614481.0000000003E59000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.800614481.0000000003E59000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 19%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: tKZVPq.exe PID: 6872 Parent PID: 6964

General

Start time:	12:22:09
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
Imagebase:	0x1e0000
File size:	588800 bytes
MD5 hash:	B94EDBAAE4BEEB37EAEAF525C8790CC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: tKZVPq.exe PID: 6172 Parent PID: 3424

General

Start time:	12:22:13
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
Imagebase:	0x240000
File size:	588800 bytes
MD5 hash:	B94EDBAAE4BEEB37EAEAF525C8790CC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.804574549.0000000003609000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.804574549.0000000003609000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.803757871.0000000002601000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: tKZVPq.exe PID: 6156 Parent PID: 6964

General

Start time:	12:22:13
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
Imagebase:	0x660000
File size:	588800 bytes
MD5 hash:	B94EDBAAE4BEEB37EAEAF525C8790CC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.937803830.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.937803830.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.792245858.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000000.792245858.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.794380276.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000000.794380276.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.793098302.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000000.793098302.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: tKZVPq.exe PID: 6040 Parent PID: 6172

General

Start time:	12:22:18
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
Imagebase:	0x220000
File size:	588800 bytes
MD5 hash:	B94EDBAAE4BEEB37EAEAF525C8790CC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: tKZVPq.exe PID: 2832 Parent PID: 6172

General

Start time:	12:22:21
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
Wow64 process (32bit):
Commandline:	C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
Imagebase:
File size:	588800 bytes
MD5 hash:	B94EDBAAE4BEEB37EAEAF525C8790CC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: order - 922 - LongWay..exe PID: 7140 Parent PID: 3512 order - 922 - LongWay..exeCOMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	340
Total number of Limit Nodes:	32

Executed Functions

Function 0154BEC0, Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0154BF30
GetCurrentThread.KERNEL32 ref: 0154BF6D
GetCurrentProcess.KERNEL32 ref: 0154BFAA
GetCurrentThreadId.KERNEL32 ref: 0154C003

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 655cc30ada641852f6e08a7e8b0df4d03756aafc30dbfa075059f13fe506a0b9
Instruction ID: 14501eb7e6be139cebb5c7750b27183c94b43c562be1fbd307dd922e9b528bd6
Opcode Fuzzy Hash: 655cc30ada641852f6e08a7e8b0df4d03756aafc30dbfa075059f13fe506a0b9
Instruction Fuzzy Hash: 005176B0D006498FDB04CFA9D548BDEBBF5BF48318F24886AE418A7350D7359845CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0154BED0, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0154BF30
GetCurrentThread.KERNEL32 ref: 0154BF6D
GetCurrentProcess.KERNEL32 ref: 0154BFAA
GetCurrentThreadId.KERNEL32 ref: 0154C003

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c8c207bcf67a1437a150459af74e3fe27d723278c64497bafe57aef44ccdf929
Instruction ID: 8a7f78e5338b9c165755b5fcf9b70c3faef45ed6fd19c7771d9bd972428efe26
Opcode Fuzzy Hash: c8c207bcf67a1437a150459af74e3fe27d723278c64497bafe57aef44ccdf929
Instruction Fuzzy Hash: 385142B0D006099FDB14CFAAD548BEEBBF5BB48318F24886AE019A7390D7359844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 075E76F6, Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075E7936

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 43d03f596758641108509c86601279f066e2f080ac9b3236e8899ddbdc349d98
Instruction ID: 13b1cfcb70a6d7f10302022667e5e402a6d57dacfbe0a24d3ede05b1e080a000
Opcode Fuzzy Hash: 43d03f596758641108509c86601279f066e2f080ac9b3236e8899ddbdc349d98
Instruction Fuzzy Hash: B6915FB1D04219CFEF14CFA8C8417EDBBB6BF48314F1489AAD859A7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 075E7700, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075E7936

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 25b5ebece577d3d2147d6e02f0dd85396f29164f91830cbbc06089224848fdc9
Instruction ID: 039278d9b01f2952c6f9d05fd4a236e5dfcde7b5ec7101e2213d5d14243a4039
Opcode Fuzzy Hash: 25b5ebece577d3d2147d6e02f0dd85396f29164f91830cbbc06089224848fdc9
Instruction Fuzzy Hash: 869161B1D04219CFEF14CFA4C8407EDBBB6BF48314F1489AAD859A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01549ED0, Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0154A116

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0633e865a544aea27f10411e16241671517a8b079d50b453d4f174c9f1b53007
Instruction ID: 7b1c3390ca4165b5f6a07e9566c738f6c6ddce39317587ee170b831fe78ac79f
Opcode Fuzzy Hash: 0633e865a544aea27f10411e16241671517a8b079d50b453d4f174c9f1b53007
Instruction Fuzzy Hash: A0714870A00B069FDB65DF6AC04179BBBF5BF88208F00892ED59ADBA40D775E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01545554, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01545611

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b0516e9fdb45f117b791c1c09bda97834740937db5416421ec8140b846c09436
Instruction ID: 2ca1b742a4a57145d72b2987c50607f35bb6aac7459035a2af577d4d8e918143
Opcode Fuzzy Hash: b0516e9fdb45f117b791c1c09bda97834740937db5416421ec8140b846c09436
Instruction Fuzzy Hash: A6410FB0D04619CFDB24CFA9C9447CEBBF5BF49308F20846AD408AB251DBB55986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01543E30, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01545611

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 442240cb5a1a134b5df33d01ef4fdf4a92a0e83d9c9d9fa196a705d4e62236b8
Instruction ID: e264575d69f47ba8f92f218b46fb91fda16e4c2bb4bd88916c7d350f29323df3
Opcode Fuzzy Hash: 442240cb5a1a134b5df33d01ef4fdf4a92a0e83d9c9d9fa196a705d4e62236b8
Instruction Fuzzy Hash: F341E470D04618CFDB24DFA9C944BDEBBF5BF48308F20846AD409AB251E7755946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 075E7560, Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075E75E8

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 09f43855bc502b11071e9250865f966d7af219252f8e8755d828055e4c5bde5e
Instruction ID: fe3f451dc3ce0cf4efd74aa6bc508667392d4067b80a1d54abcdb47de44ccb3c
Opcode Fuzzy Hash: 09f43855bc502b11071e9250865f966d7af219252f8e8755d828055e4c5bde5e
Instruction Fuzzy Hash: B3317AB1C043899FCB11CFA9C8847EEBFF9FF49210F54886AE558A7241D7389944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 075E7470, Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075E7508

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 614fef6b6e6f85b68b5835f344719f289a9b0b214987fed952041d94edd48285
Instruction ID: 18507891773bcc5621d96d60529d25dbe4b497ccbffacdb9a6bf562e4dfd2228
Opcode Fuzzy Hash: 614fef6b6e6f85b68b5835f344719f289a9b0b214987fed952041d94edd48285
Instruction Fuzzy Hash: F52146B69003099FCF10CFA9C9847EEBBF5FF48314F50882AE918A7240D7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 075E7478, Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075E7508

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 30e7c61c727c1a32a8c06c5751190f7786d72b4ec1509d7f796923a310a56ef2
Instruction ID: 2f23689f3a7e097e35cc84a804c1095ecfefa9d798b9613718eb78a1b54397fc
Opcode Fuzzy Hash: 30e7c61c727c1a32a8c06c5751190f7786d72b4ec1509d7f796923a310a56ef2
Instruction Fuzzy Hash: A8211BB59003599FCF10CFA9C984BDEBBF9FF48314F54882AE919A7240D7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 075E72DA, Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 075E735E

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8b97d7ea59482c4d09bdd2a9386a7bf2a2f5514b6152676e6131ecad0fd5dbbd
Instruction ID: 509e767f6af5c419acb104213d0f34068a283571dc82cd6746c30044597088be
Opcode Fuzzy Hash: 8b97d7ea59482c4d09bdd2a9386a7bf2a2f5514b6152676e6131ecad0fd5dbbd
Instruction Fuzzy Hash: 8F213AB19002099FCB10CFA9C4857EEBBF8FF48224F54842AD419A7640DB789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0154C0F0, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0154C17F

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a7244a069331b80c3ec5d5a6a432a1b126ee0327f71dbc887abdc5462f0e54bc
Instruction ID: e1b24a2cfa95f50159f25ebf02005b19905d41fcafe2be8dddec8c059f62d0a1
Opcode Fuzzy Hash: a7244a069331b80c3ec5d5a6a432a1b126ee0327f71dbc887abdc5462f0e54bc
Instruction Fuzzy Hash: FD21D2B59002099FDB10CFA9D984ADEBBF8FB48324F14841AE919B7350D378A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 075E7568, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075E75E8

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d9996624e20e5c93658f41133109c48f13398bc1fd0182e4a8d2a60677c51036
Instruction ID: 6dad6c6982a1aaa4897ca2846e4e4918cb7bc58e9ccc67e58809f00d1ed63382
Opcode Fuzzy Hash: d9996624e20e5c93658f41133109c48f13398bc1fd0182e4a8d2a60677c51036
Instruction Fuzzy Hash: 3B2128B18002199FCB10CFA9C880BEEBBF9FF48314F50882AE519A7240D7399954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 075E72E0, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 075E735E

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e91be32fbc42d2f7191f6685064aedea897a510c7ca6e88488070286ca145d29
Instruction ID: 77d723314b9c1f2d660d68c643a5b1f71b6053de82e5ca872e7ef3497036ffed
Opcode Fuzzy Hash: e91be32fbc42d2f7191f6685064aedea897a510c7ca6e88488070286ca145d29
Instruction Fuzzy Hash: DB211AB19002099FCB50CFA9C4847EEBBF8FF48254F54842AD419A7240DB789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0154C0F8, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0154C17F

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0cd57cb10ad238b88868c712184bc603f83b5ccb51711fc94017977d321c3596
Instruction ID: f159e17b2e51dfc73e272ee3d43f80eb9de06df3e1e6765b086976e34b5546ce
Opcode Fuzzy Hash: 0cd57cb10ad238b88868c712184bc603f83b5ccb51711fc94017977d321c3596
Instruction Fuzzy Hash: 9221C4B5D012099FDB10CFA9D984ADEBFF8FB48324F14842AE915A7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075E73B0, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075E7426

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9412a96654c8ebeab7bada98b4181667f712f959c931ad35bff450f89527b032
Instruction ID: 0288ff447894a430b60e589eb268941f660e21c32cfcf40aa09bb93b0f5d1bb1
Opcode Fuzzy Hash: 9412a96654c8ebeab7bada98b4181667f712f959c931ad35bff450f89527b032
Instruction Fuzzy Hash: 711156B69002099FCB10CFE9D8447EEBBF9FF48324F14882AD519A7640C7399954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01549AE8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0154A191,00000800,00000000,00000000), ref: 0154A3A2

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c133de3bc41ec823abe7b5206816087f47ae54c0a5a40e7c4d42a791e0f2eb3a
Instruction ID: f2327086aaa891ad789d60a56753e6020fe89c25f5342e1efe5a677419f9d733
Opcode Fuzzy Hash: c133de3bc41ec823abe7b5206816087f47ae54c0a5a40e7c4d42a791e0f2eb3a
Instruction Fuzzy Hash: C01103B69002098FDB10CF9AC444BDEFBF8BB58314F14842AD916AB200D3B9A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 075E73B8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075E7426

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9b59f2bb9417cb0b6d9c82787a346c8235790de777d01ec4ac2061fb130b1f67
Instruction ID: e94b14731636255ef4b8ad8fc40241682132caf39b244c03ac87384810b8cf71
Opcode Fuzzy Hash: 9b59f2bb9417cb0b6d9c82787a346c8235790de777d01ec4ac2061fb130b1f67
Instruction Fuzzy Hash: 4A11F6B59002499FCB10DFA9D844BEEBFF9AF48324F148829D519A7250C7799954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0154A333, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0154A191,00000800,00000000,00000000), ref: 0154A3A2

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: facbc73303db5bc32c94f5b5eedb9a226498e9422ca14bd8158095991695e84c
Instruction ID: 12f622e47f11275760931288b1577358c017605207251a8ae12746927c1f6ada
Opcode Fuzzy Hash: facbc73303db5bc32c94f5b5eedb9a226498e9422ca14bd8158095991695e84c
Instruction Fuzzy Hash: 7B11F6B69002498FDB10CF9AD444BDEFBF8BF98314F14842ED416A7600C379A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 075E7228, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 075E7292

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 59b8032aaf0dafbc8674cc2c193969202d71db44fe7be4c78309c2d631681b66
Instruction ID: 449b44b8931da8fb65d306163aeb70a2578cd86127411748851b9caf75ef1dbe
Opcode Fuzzy Hash: 59b8032aaf0dafbc8674cc2c193969202d71db44fe7be4c78309c2d631681b66
Instruction Fuzzy Hash: 0E1166B1D002098FCB10CFE9D5447EEFBF8EF48224F24892AD019A7640DB399944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 075E7230, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 075E7292

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4a84cd8b8359db263e8045f09bd70b2c3a62a0f8c7ddad678f3b1955b8745521
Instruction ID: ec555e125e49913a92fe432ce1be05840ba58bf355419f797ab82fd871912e74
Opcode Fuzzy Hash: 4a84cd8b8359db263e8045f09bd70b2c3a62a0f8c7ddad678f3b1955b8745521
Instruction Fuzzy Hash: F2113AB1D002498FCB10DFAAC4447EFFBF9EF48224F148829D419A7240D779A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0154A0B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0154A116

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 06694fbd6afad809a57a66a858c100ad8c25919cce4f3f814f610d8d3aec175d
Instruction ID: dffc1dabc2b29afad2247d4f8ebbee513ddbe00a467f0b690b34388585aa0d69
Opcode Fuzzy Hash: 06694fbd6afad809a57a66a858c100ad8c25919cce4f3f814f610d8d3aec175d
Instruction Fuzzy Hash: E911DFB6D006498FDB10CF9AD444BDEFBF8BB89224F14842AD529B7600D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075E9DB0, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 075E9E15

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a689414c4e71b08057332d3a01de1616aea57317290e8ecc39ab294d3267c132
Instruction ID: 39c571ca5c06cb0a545b944a559b5fc822186fdf87d83158891052e2919618d4
Opcode Fuzzy Hash: a689414c4e71b08057332d3a01de1616aea57317290e8ecc39ab294d3267c132
Instruction Fuzzy Hash: BC1103B5800349DFCB10CF99D585BEEBBF8FB08324F14881AD558A7600D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075E9DB8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 075E9E15

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cfc3f8af3141ee8b80cf7b0bcf8d8815f3bfb4d98bb5f0db35349ff58502af56
Instruction ID: 1712bff1eee0073be4cc5b93a25806220d8cfda8f084bdbf81d6a043bcddb28e
Opcode Fuzzy Hash: cfc3f8af3141ee8b80cf7b0bcf8d8815f3bfb4d98bb5f0db35349ff58502af56
Instruction Fuzzy Hash: 4611D0B58003499FDB10CF9AD884BDEBBF8FB48324F14881AE519A7600D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0118D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693238485.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_118d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ac88e848d58fb2fc9e53723090bb79c3f111f142bb46841affd6c7cc88d6fa
Instruction ID: 385b2b363348e3d2dc9e82579d646288850ba5d7ba753dd14b0b63f1632ef2c0
Opcode Fuzzy Hash: 08ac88e848d58fb2fc9e53723090bb79c3f111f142bb46841affd6c7cc88d6fa
Instruction Fuzzy Hash: DB212B71504304DFDF09EF98E9C0B96BB65FB84324F24C569D9050B686C336E456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0119D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693269662.000000000119D000.00000040.00000001.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac139b9eafa1c1e5efe1f953ac0e6e638b719daf0508210de76757c72177d59
Instruction ID: 83e8527acdbe19e30f2fb6ca37b6b567d8b859d83777cb6916674d188b111acc
Opcode Fuzzy Hash: aac139b9eafa1c1e5efe1f953ac0e6e638b719daf0508210de76757c72177d59
Instruction Fuzzy Hash: 6521F575504244DFDF19CFA4E8C4B1ABB65FB84354F28C969D80A4B346C73AD847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0119D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693269662.000000000119D000.00000040.00000001.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1acfe2a5991ad507c2ec11c716cdcab081d29d568de77ff93ba5dc45f9566d
Instruction ID: 4307edd52ebbd0ed849444be5e0a0f327144647400ff90af31ec293b8f0605bd
Opcode Fuzzy Hash: 3f1acfe2a5991ad507c2ec11c716cdcab081d29d568de77ff93ba5dc45f9566d
Instruction Fuzzy Hash: 73212975504204DFDF09CF94E9C0B26BBA5FB84324F24C9ADE9094B346C736E846CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0118D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693238485.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_118d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b542bd3278c9900dffdafc875f4b96c8e5add24c359be4243397ba3ac3bd772
Instruction ID: 7f8a7a1030971e5ae534b3f0bdd198c0fcedf42c64255357c7ce8f8493679e82
Opcode Fuzzy Hash: 0b542bd3278c9900dffdafc875f4b96c8e5add24c359be4243397ba3ac3bd772
Instruction Fuzzy Hash: 0111CD72404280DFCF06DF58D5C4B56BF61FB84220F24C2A9D8090B656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0119D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693269662.000000000119D000.00000040.00000001.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2a8cfca3367af31ed8fccdba65c6857044cb1be902d9aeec9971aaaa20cc2e
Instruction ID: 82a855833a38d08f30289dec1f908a700771b491fad200e6185a8c468fb12fdd
Opcode Fuzzy Hash: ad2a8cfca3367af31ed8fccdba65c6857044cb1be902d9aeec9971aaaa20cc2e
Instruction Fuzzy Hash: 6611BB75504280DFCF06CF54D5C4B15BBA1FB84224F28C6AAD8494B696C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0119D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693269662.000000000119D000.00000040.00000001.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2a8cfca3367af31ed8fccdba65c6857044cb1be902d9aeec9971aaaa20cc2e
Instruction ID: ece36e09a0f9d4bbaccc67ff1749c786b93da28ec72f7378da9d755b33ac8d90
Opcode Fuzzy Hash: ad2a8cfca3367af31ed8fccdba65c6857044cb1be902d9aeec9971aaaa20cc2e
Instruction Fuzzy Hash: 6411BE75504280CFDF16CF54E5C4B15BB61FB44314F28C6AAD8094B656C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0118D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693238485.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_118d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e377c7f93e23e77256c2712ea00d49810a876bb81a138516aa5576db71d5801b
Instruction ID: fc773ff12eb7286b39d0f39aa704b0fdc726868935fa897eadeab7325bad7428
Opcode Fuzzy Hash: e377c7f93e23e77256c2712ea00d49810a876bb81a138516aa5576db71d5801b
Instruction Fuzzy Hash: 7701D4710087C09AEB197AD5EC84BA6BB9CEF41268F08C55AEA041B282D3799445CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 0118D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693238485.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_118d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f25b5690198c7e9310ad4c30dbaf16401b3db136a5095853521b134246c8c78
Instruction ID: 2981b67d5262749353f85ffabbec5dc73e7756ef3b29902a3797e5cdc3b2aaac
Opcode Fuzzy Hash: 0f25b5690198c7e9310ad4c30dbaf16401b3db136a5095853521b134246c8c78
Instruction Fuzzy Hash: 8CF0C2714047849EEB159E5ADCC4B62FFA8EB81278F18C45AED081B286C3799844CFB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 075E2A98, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

UUUU, xrefs: 075E2B58

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: c016911560f8d6c66c04d5b79bfd5d253b14d58c877d16baf596ee7accd631b2
Instruction ID: e8d8981fcefb0826887a70c2165862b906dbfb6512f7af43af2fb9064115265d
Opcode Fuzzy Hash: c016911560f8d6c66c04d5b79bfd5d253b14d58c877d16baf596ee7accd631b2
Instruction Fuzzy Hash: B9516EB0E146288FDBA4CFA9C984BCDBBF2BB48314F1481A9D118F7215D7349A85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 075EC078, Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.697354719.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9658e789c67d26f9f715761f2ff934db02ac970f404206ad2ee779c56905b22
Instruction ID: b1fa0fcdeada9d0c22d85a2427625ef8d6bf2499623176698041f8a7509d784c
Opcode Fuzzy Hash: e9658e789c67d26f9f715761f2ff934db02ac970f404206ad2ee779c56905b22
Instruction Fuzzy Hash: 33D19CB1B006069FEB19DBB5C420BAE77FABFC9605F14446ED1498B790CB35E901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0154EDB8, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2372446588cedf22a9990115209a0ef68d6dd6cac8cc623a51cddea3aed3625
Instruction ID: fe6ce3dc02936e8e4542f99d7600259730f60c24a4de120d566b8cbe56393556
Opcode Fuzzy Hash: d2372446588cedf22a9990115209a0ef68d6dd6cac8cc623a51cddea3aed3625
Instruction Fuzzy Hash: 0312E7F24917468AD330CF65EC98188BBB1B7C3328B58660BD9635FAD8D7B4116ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0154C974, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa60135759bfc250e15d93728d8beff403d01b0b184729a5d9632a0365c9eb90
Instruction ID: 59e50d5922ca0f6499dc12cbe438fc5eef627812f15ce4f58fca125e72f68010
Opcode Fuzzy Hash: fa60135759bfc250e15d93728d8beff403d01b0b184729a5d9632a0365c9eb90
Instruction Fuzzy Hash: 43A15A32E0021A8FCF19DFB5C8445EEBBB2FFC4304B15856AE915AF221EB75A955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0154EDA8, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693400952.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1540000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d4ed637a9aceeef4e5d4b310df591f8c426daaef50b61ae7327cfe9a4980ec
Instruction ID: 07342367bc3ef0b71c6ceaf7d89e5094660392eca521b9cd69a24114cab93275
Opcode Fuzzy Hash: c7d4ed637a9aceeef4e5d4b310df591f8c426daaef50b61ae7327cfe9a4980ec
Instruction Fuzzy Hash: 25C16AB24517868BD320CF65EC98188BBB1BBC7328F58670BD5222B6D8D7B4106ACF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: order - 922 - LongWay..exe PID: 6580 Parent PID: 7140 order - 922 - LongWay..exeCOMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	206
Total number of Limit Nodes:	12

Executed Functions

Function 00BAB158, Relevance: 1.7, APIs: 1, Instructions: 180
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00BAB199

Memory Dump Source

Source File: 00000005.00000002.938756699.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ba0000_order - 922 - LongWay.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: adb37db76f9b230b2932463444b4f4892848102801dd59f54d899783ec2258fd
Instruction ID: 792617d03381c856210858e99c093618e4c4d490f6ff2fe7ad9edcb4aafcd57a
Opcode Fuzzy Hash: adb37db76f9b230b2932463444b4f4892848102801dd59f54d899783ec2258fd
Instruction Fuzzy Hash: AE617E30A14205DFDB14EFF4D859BAEBBF2AF85304F208429E416AB791DF349846CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C86B40, Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C86BB0
GetCurrentThread.KERNEL32 ref: 00C86BED
GetCurrentProcess.KERNEL32 ref: 00C86C2A
GetCurrentThreadId.KERNEL32 ref: 00C86C83

Memory Dump Source

Source File: 00000005.00000002.939299470.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_order - 922 - LongWay.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 21fc5e689f5aad382169e53cbcbefbccc7071e0de93fdbac7c5a37953a11cfe5
Instruction ID: 47a974c5439dfeb6aae098ca91fc83be6ae40c0b0a3b38aba664f624046d648d
Opcode Fuzzy Hash: 21fc5e689f5aad382169e53cbcbefbccc7071e0de93fdbac7c5a37953a11cfe5
Instruction Fuzzy Hash: E35165B4900649CFDB54CFAAD688BDEBBF4FF48308F2084A9E019A7390D7746944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00C86B50, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C86BB0
GetCurrentThread.KERNEL32 ref: 00C86BED
GetCurrentProcess.KERNEL32 ref: 00C86C2A
GetCurrentThreadId.KERNEL32 ref: 00C86C83

Memory Dump Source

Source File: 00000005.00000002.939299470.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_order - 922 - LongWay.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b11a14a14412e415d66c7a50ec72685ea5ab4671bf376b63fae517235fdbbb9f
Instruction ID: fc94bb7d9d6f6d450be95f47bc88b3da326b04072ac995f12d0acd2ae2957928
Opcode Fuzzy Hash: b11a14a14412e415d66c7a50ec72685ea5ab4671bf376b63fae517235fdbbb9f
Instruction Fuzzy Hash: FE5155B4900649CFDB50CFAAD688BEEBBF4FF48318F208469E419A7390D7746944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00C82F44, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C84216

Strings

X, xrefs: 00C82F44

Memory Dump Source

Source File: 00000005.00000002.939299470.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_order - 922 - LongWay.jbxd

Similarity

API ID: HandleModule
String ID: X
API String ID: 4139908857-1677210272
Opcode ID: c4b157c6e3b91ed1fd69c3c49d04c030f50355c7d68bf255c5a597285cc47651
Instruction ID: 242542f7f89f9fca9452db659e3234b86f9af1233a08af8e65df5b08c86f06b1
Opcode Fuzzy Hash: c4b157c6e3b91ed1fd69c3c49d04c030f50355c7d68bf255c5a597285cc47651
Instruction Fuzzy Hash: A711F3B18046498BCB14DF9AD444BDEFBF4EB48314F14842AD429B7200D374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BA0412, Relevance: 1.7, APIs: 1, Instructions: 163
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00BA04C9

Memory Dump Source

Source File: 00000005.00000002.938756699.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ba0000_order - 922 - LongWay.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 61ebb28cc3b720d552eeb93c7b2686e86a37b1ca9e946eeebb52de046bf34f46
Instruction ID: 5d925058bc71b65db066a5b5b3e2731c08d1dfbae1667b70b0402b95e4928c4b
Opcode Fuzzy Hash: 61ebb28cc3b720d552eeb93c7b2686e86a37b1ca9e946eeebb52de046bf34f46
Instruction Fuzzy Hash: A2519230B142059FCB04EBB4D895BEE77F5AF89304F14896AE5069B792EF30D905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BA0468, Relevance: 1.6, APIs: 1, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00BA04C9

Memory Dump Source

Source File: 00000005.00000002.938756699.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ba0000_order - 922 - LongWay.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 663a9189e90a58d6ca08bf8154ed29a8a09a9b28107e35b7baf081be02d48ca7
Instruction ID: d474ae6c20708ea520ed8174e9e8f2183ebf2abbb63d566686306ee365d0b31a
Opcode Fuzzy Hash: 663a9189e90a58d6ca08bf8154ed29a8a09a9b28107e35b7baf081be02d48ca7
Instruction Fuzzy Hash: 32518030A142059BCB04FBB4D895AEEB7F5FF89304F14896AE4069B791DF30E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C85184, Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C852A2

Memory Dump Source

Source File: 00000005.00000002.939299470.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_order - 922 - LongWay.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 30177fabf54ac888b7f2bb66e2aa1bb15091b4e7b7e3787f8bf69eecd6ee15b5
Instruction ID: 17893f52bc1d582305c334f4ec0a3065994690aaea579e94889c6d8800b13809
Opcode Fuzzy Hash: 30177fabf54ac888b7f2bb66e2aa1bb15091b4e7b7e3787f8bf69eecd6ee15b5
Instruction Fuzzy Hash: EB51EFB1D00709DFDB14DF99D884ADEBFB5BF48314F24812AE819AB210DBB49985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C85190, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C852A2

Memory Dump Source

Source File: 00000005.00000002.939299470.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_order - 922 - LongWay.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f06266e9a38d2d7b8f354294350cd47112ea8f91c4d8376d614a49f3db1a3a9b
Instruction ID: c42655b9abb2e7afa66c6e0e86ca02e87b502dc1ea9bc5e2bcdeee6820e6e2ab
Opcode Fuzzy Hash: f06266e9a38d2d7b8f354294350cd47112ea8f91c4d8376d614a49f3db1a3a9b
Instruction Fuzzy Hash: 7241C0B1D00309DFDB14DF99D884ADEBBB5BF48314F64812AE819AB210DBB4A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C86964, Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00C87D01

Memory Dump Source

Source File: 00000005.00000002.939299470.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_order - 922 - LongWay.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 42ab371b91d0823b849365e173ea36151354967e8b44571b81fb5258c685114b
Instruction ID: 6b347842afc1143a13de0770c472ea9b8839a7c1da35633cddde943d603f9ec8
Opcode Fuzzy Hash: 42ab371b91d0823b849365e173ea36151354967e8b44571b81fb5258c685114b
Instruction Fuzzy Hash: 3D4129B4A04205CFCB14DF99C488BAABBF5FF88318F248559E419AB321D774E941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BAB0F8, Relevance: 1.6, APIs: 1, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00BAB199

Memory Dump Source

Source File: 00000005.00000002.938756699.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ba0000_order - 922 - LongWay.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d97b410e69d2048bd2284c633c52a448ec5fb70785c348c09a0d0eacda65593
Instruction ID: e7e7ddc33153dfc6004febe78eb9f93dc32bfa54d3a77de6ff7865f4d7a0aa24
Opcode Fuzzy Hash: 8d97b410e69d2048bd2284c633c52a448ec5fb70785c348c09a0d0eacda65593
Instruction Fuzzy Hash: F131A270A19349CFCB05DBB4D894B9DBBF1FF4A304F1584A9D001AB396DB35984ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C86D71, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C86DFF

Memory Dump Source

Source File: 00000005.00000002.939299470.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_order - 922 - LongWay.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 77f1aae3715dfd80d20aa8c49bda268327f5adc0bb48c51162a3f37439928a65
Instruction ID: 055bbef4e880afaa6c542a8350a37ff16f7cc7a2f28c0ea1ec2dfd5bca413c2c
Opcode Fuzzy Hash: 77f1aae3715dfd80d20aa8c49bda268327f5adc0bb48c51162a3f37439928a65
Instruction Fuzzy Hash: 7621E4B5900249DFDB10CFA9D884AEEBFF8FB48314F14842AE914A7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C86D78, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C86DFF

Memory Dump Source

Source File: 00000005.00000002.939299470.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_order - 922 - LongWay.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 24bf20d0b092cfed266a7910506c03f354cf2456890707a481c6174316fae0f4
Instruction ID: 10423d6e525f7f174130c628096434c30031d1e9f2208bcfa98b3750b10e04c6
Opcode Fuzzy Hash: 24bf20d0b092cfed266a7910506c03f354cf2456890707a481c6174316fae0f4
Instruction Fuzzy Hash: 8A21C4B5900209DFDB10CF99D584ADEFBF8FB48324F14842AE914A7350D778A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C08119, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C080F9,00000800), ref: 00C0818A

Memory Dump Source

Source File: 00000005.00000002.938835164.0000000000C00000.00000040.00000010.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c00000_order - 922 - LongWay.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e8ade6aaade1c023c6a30e1e2069c1ba1bd51388f66b2deb89596c077883aee5
Instruction ID: a5a2b96c5ce96576750b050b8dd924f6927fd77f5062cf832683e40e99c3c303
Opcode Fuzzy Hash: e8ade6aaade1c023c6a30e1e2069c1ba1bd51388f66b2deb89596c077883aee5
Instruction Fuzzy Hash: D11103B68002498FDB10CFAAD844BDEFBF4AF48314F14852AD459A7640C778A94ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C07264, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C080F9,00000800), ref: 00C0818A

Memory Dump Source

Source File: 00000005.00000002.938835164.0000000000C00000.00000040.00000010.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c00000_order - 922 - LongWay.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 69ed6ce4789512b4447e2075e4e957a314cca9ea47d49036390086c1e8339abe
Instruction ID: f59fda56517370e1524be66981551379d8a5f5a6d08896d45296e0061612e47e
Opcode Fuzzy Hash: 69ed6ce4789512b4447e2075e4e957a314cca9ea47d49036390086c1e8339abe
Instruction Fuzzy Hash: 9C1103B29002099FCB10CF9AD844BDEFBF8EF48310F14842AE555A7240C778A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BAC4C0, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00BAE47A), ref: 00BAE96F

Memory Dump Source

Source File: 00000005.00000002.938756699.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ba0000_order - 922 - LongWay.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 00361d77a3338718adbf6482960d6093ce0c15129a76ca8dcbecb6a06b3fa389
Instruction ID: fa864375c977ff8269386167e707152c6593e03a4f54a67a49590b475699925c
Opcode Fuzzy Hash: 00361d77a3338718adbf6482960d6093ce0c15129a76ca8dcbecb6a06b3fa389
Instruction Fuzzy Hash: 1F1103B1C046199BCB10DF9AC4447EEFBF8AB49324F54856AD818B7340D778A954CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00C8C3C8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00C8C442

Memory Dump Source

Source File: 00000005.00000002.939299470.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_order - 922 - LongWay.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: bde06f088bebbf4b06ea98f77edab2e4059b12f82e11f284d8c009c746a559e3
Instruction ID: 8f810e1ebf30d92a4f63236022f853c94cd8be2e8ce928ad833a22399076f708
Opcode Fuzzy Hash: bde06f088bebbf4b06ea98f77edab2e4059b12f82e11f284d8c009c746a559e3
Instruction Fuzzy Hash: 2511ACB59003058FCB60DFA9D5887EEBBF8FB48318F24882AD445A3681C7786544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE900, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00BAE47A), ref: 00BAE96F

Memory Dump Source

Source File: 00000005.00000002.938756699.0000000000BA0000.00000040.00000010.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ba0000_order - 922 - LongWay.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 488fdc4dd5263e2c9b1630a342aec9682ffcdf581515a062087f15e42de593a1
Instruction ID: 2e86ef1fc0d5145c5dbbd86d500fc641d49a92c923bf735785ee0ba2421108cf
Opcode Fuzzy Hash: 488fdc4dd5263e2c9b1630a342aec9682ffcdf581515a062087f15e42de593a1
Instruction Fuzzy Hash: C71103B1C046599FCB10CF9AD444BEEFBF4AF48324F14866AD418B7240D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C0BA48, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00C0BAA5

Memory Dump Source

Source File: 00000005.00000002.938835164.0000000000C00000.00000040.00000010.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c00000_order - 922 - LongWay.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 35895b3dca21da929811b0dc8f5a405a50fdce1fc046322a7f339c3284b0f017
Instruction ID: a53c698ddc3eee096d81d93ecedbae0e4122eda88724dedf5f406efc4a8dc239
Opcode Fuzzy Hash: 35895b3dca21da929811b0dc8f5a405a50fdce1fc046322a7f339c3284b0f017
Instruction Fuzzy Hash: 821112B1900249CFCB10DF9AD448BDEFBF8EB48324F248529D519A7740C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C0AB00, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00C0BAA5

Memory Dump Source

Source File: 00000005.00000002.938835164.0000000000C00000.00000040.00000010.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c00000_order - 922 - LongWay.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 71d87e74ce1126954713d0c663634d58a8af41a9d257ca11efe257822e084cfa
Instruction ID: 076ca6657cc89332d55c4f95412b3a055981b83b97de8d72a894d2d0c519877e
Opcode Fuzzy Hash: 71d87e74ce1126954713d0c663634d58a8af41a9d257ca11efe257822e084cfa
Instruction Fuzzy Hash: 401100B19042498FCB20DF9AD448BDEBBF8EB48324F248829D519B7340D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.938934941.0000000000C1D000.00000040.00000001.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c1d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61fd5dbe79b329c4093f84786b99fe4e4accd3e34cd6610a8def5ca7a77d3ad
Instruction ID: 4a87d88081041c8252849e7450ae52eaf7fb90dfcbc99390d82aea8571ef18ff
Opcode Fuzzy Hash: b61fd5dbe79b329c4093f84786b99fe4e4accd3e34cd6610a8def5ca7a77d3ad
Instruction Fuzzy Hash: F62128B1504244DFDB01DF50D8C0BA7BB66FB99324F24C569E8070B246C336E896EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.938934941.0000000000C1D000.00000040.00000001.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c1d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d50c2b28394a58f3eda4c7e882dbe8870af9912f29d1db44753222f1f9949e
Instruction ID: de5e02ee2048d58b5fa9ae40edcf2075a6995d95e3f7e737d81268e4dad5e876
Opcode Fuzzy Hash: 06d50c2b28394a58f3eda4c7e882dbe8870af9912f29d1db44753222f1f9949e
Instruction Fuzzy Hash: 13213AB1504244DFCB01DF50D8C0BABBF6AFB95328F248969E8064B246C336D996E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.938991757.0000000000C2D000.00000040.00000001.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c2d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1a8a201ca35c8c6ffd40d20c12fa1141a4115b13fa6e02beb18a4684da5936
Instruction ID: 1da02425bea3baebae18e04e13421bb6a0adeb2c6c6040566a710bc770f2101a
Opcode Fuzzy Hash: ac1a8a201ca35c8c6ffd40d20c12fa1141a4115b13fa6e02beb18a4684da5936
Instruction Fuzzy Hash: C9210475504344DFCB14CF60E9C4B26BBA5FB98314F24C9A9E80A4BB96C73AD847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.938991757.0000000000C2D000.00000040.00000001.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c2d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777d85b6aca02c54efcd83b4329a562be5242d29fadff647ac654af65ae29386
Instruction ID: 61e8896fc3ca91d41ffbf87f8363a6dd0044ca1bca3762ea032e9ce6dd314b01
Opcode Fuzzy Hash: 777d85b6aca02c54efcd83b4329a562be5242d29fadff647ac654af65ae29386
Instruction Fuzzy Hash: A9218E755093C08FCB12CF24D994B15BF71EB56314F28C5EAD8498B6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.938934941.0000000000C1D000.00000040.00000001.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c1d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b542bd3278c9900dffdafc875f4b96c8e5add24c359be4243397ba3ac3bd772
Instruction ID: eed813e179a5debe6d057cee5b00a31e66a2a4b3cc645d351e30589a1bdf464b
Opcode Fuzzy Hash: 0b542bd3278c9900dffdafc875f4b96c8e5add24c359be4243397ba3ac3bd772
Instruction Fuzzy Hash: A811E6B6404280CFCF12CF14D5C4B56BF72FB95324F24C6A9D8064B656C33AD99ADBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.938934941.0000000000C1D000.00000040.00000001.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c1d000_order - 922 - LongWay.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b542bd3278c9900dffdafc875f4b96c8e5add24c359be4243397ba3ac3bd772
Instruction ID: 0f847f1ca7203dc6852701e3aefc8d893e1a0b364d5f09b52ae8d3d22258c462
Opcode Fuzzy Hash: 0b542bd3278c9900dffdafc875f4b96c8e5add24c359be4243397ba3ac3bd772
Instruction Fuzzy Hash: 9911D3B6404280CFCB02CF10D5C4B56BF72FB95324F24C6A9D8094B656C33AD99ADBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: tKZVPq.exe PID: 6964 Parent PID: 3424 tKZVPq.exeCOMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	270
Total number of Limit Nodes:	17

Executed Functions

Function 0140BEC3, Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0140BF30
GetCurrentThread.KERNEL32 ref: 0140BF6D
GetCurrentProcess.KERNEL32 ref: 0140BFAA
GetCurrentThreadId.KERNEL32 ref: 0140C003

Memory Dump Source

Source File: 0000000A.00000002.798747419.0000000001400000.00000040.00000001.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1400000_tKZVPq.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b5e6ab6332825ded28e1cfd3be910673557783360912abfedc53faa7dde3bfc0
Instruction ID: b9f588f902d3500fb768df31469b1a9ed737384e67e25afc4e7fa136cebe3e01
Opcode Fuzzy Hash: b5e6ab6332825ded28e1cfd3be910673557783360912abfedc53faa7dde3bfc0
Instruction Fuzzy Hash: 945155B4900649CFDB15CFAAD588BDEBBF5AF48304F24846AD418A73A0D7355844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0140BED0, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0140BF30
GetCurrentThread.KERNEL32 ref: 0140BF6D
GetCurrentProcess.KERNEL32 ref: 0140BFAA
GetCurrentThreadId.KERNEL32 ref: 0140C003

Memory Dump Source

Source File: 0000000A.00000002.798747419.0000000001400000.00000040.00000001.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1400000_tKZVPq.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7fd93360a1d770143b8058b08b7636fc832cbcd41cc957ecfc3d324361e8c78d
Instruction ID: 93d4404d0636de9d5964322a29694099b79edf8633f002ab02dabf8c684e9a21
Opcode Fuzzy Hash: 7fd93360a1d770143b8058b08b7636fc832cbcd41cc957ecfc3d324361e8c78d
Instruction Fuzzy Hash: 8D5133B4900609CFDB14CFAAD588BDEBBF5AB48304F24886AE419A73A0D7359844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 08A776F6, Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08A77936

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6890a7912b073bfc2b2d7aede8e8a6bc82e7c370fe691d6d8dc0bba8695fbb8b
Instruction ID: 283a047730184b38f88cb42b8691524498a77a222a54c3f3360acaa3b17fb25d
Opcode Fuzzy Hash: 6890a7912b073bfc2b2d7aede8e8a6bc82e7c370fe691d6d8dc0bba8695fbb8b
Instruction Fuzzy Hash: 69916B71D00619CFEB20CFA9CC41BEDBBB2BF48315F1485A9E809A7680DB749985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 08A77700, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08A77936

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 28a31902f36c1f1f8ff75081cd87fc3a9ae8fd9b4a2391f8327e5c6856f655ae
Instruction ID: 175c0f89f531603b2c292620d82f00c8f83e25dcaf485b2cf8630e29701b5419
Opcode Fuzzy Hash: 28a31902f36c1f1f8ff75081cd87fc3a9ae8fd9b4a2391f8327e5c6856f655ae
Instruction Fuzzy Hash: 36914B71D00619CFEB20CFA9CC40BEEBBB2BF48315F1485A9E809A7640DB749985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 01409ED0, Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0140A116

Memory Dump Source

Source File: 0000000A.00000002.798747419.0000000001400000.00000040.00000001.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1400000_tKZVPq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 580540cb7fbd6841d980e05410389041de61b4cd7895aabf7d89b00eebb057b9
Instruction ID: d1093a5380d14e2ae545d8b91b1e6c0a872c0fd7ab19f1506ab8212d9f08bb01
Opcode Fuzzy Hash: 580540cb7fbd6841d980e05410389041de61b4cd7895aabf7d89b00eebb057b9
Instruction Fuzzy Hash: B37124B0A00B058FDB65DF6AC05079BBBF5BF88204F00892ED59AD7B91DB74E8458F91

Uniqueness

Uniqueness Score: -1.00%

Function 08A77640, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08A775E8

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7ce60c12c4ef2a785e97c2b4a65c188cd780c86c90512b1e35f38ae12d0edf78
Instruction ID: 33db15ff365b1cab64845843a14f1a72e303f04158c429c29a7005366f72360d
Opcode Fuzzy Hash: 7ce60c12c4ef2a785e97c2b4a65c188cd780c86c90512b1e35f38ae12d0edf78
Instruction Fuzzy Hash: 864147B5D003498FCF10CFA9C8447EEBBF5AF48324F14882AD559A7640DB799949DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01403E30, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01405611

Memory Dump Source

Source File: 0000000A.00000002.798747419.0000000001400000.00000040.00000001.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1400000_tKZVPq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cc3d363baaa1af79f67a266f63fa379e3123e7f92bbf1396baab7d9296d822c0
Instruction ID: fb2ef6a00836b7ca5308e058f1aa40af209f9e88efb3675e5abedabcef8178e3
Opcode Fuzzy Hash: cc3d363baaa1af79f67a266f63fa379e3123e7f92bbf1396baab7d9296d822c0
Instruction Fuzzy Hash: C341C270D04618CFDB24DFAAC8847DEBBB5FF48304F24846AD409AB295D7B59946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0140555B, Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01405611

Memory Dump Source

Source File: 0000000A.00000002.798747419.0000000001400000.00000040.00000001.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1400000_tKZVPq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bc516a2bab0fd2dabb31f38c09fe13686d8bc52fc91c30cad1ae8991df07bb70
Instruction ID: 50a9fdd74308f0d8ebb1cdc1d07ca92b67f8c253bfd232ccf57e80b11fb690ab
Opcode Fuzzy Hash: bc516a2bab0fd2dabb31f38c09fe13686d8bc52fc91c30cad1ae8991df07bb70
Instruction Fuzzy Hash: 3441F270D04618CFDB25DFAAC884BDEBBB5FF49304F24846AD408AB251DBB59946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08A77470, Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08A77508

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8304331bbae7feb3f18b81f9490f7081f74f5ccea5649d5059b8272c4f98cfeb
Instruction ID: b5a4a385802f3fd028ea460bb74522d4838eae4e600408cf13cfc827bb1e7ad5
Opcode Fuzzy Hash: 8304331bbae7feb3f18b81f9490f7081f74f5ccea5649d5059b8272c4f98cfeb
Instruction Fuzzy Hash: 2A2146B59002199FCF00CFA9C9807EEBBF5FF48314F10882AE918A7640D7789955DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08A77478, Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08A77508

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c954576040d16478f654056a87fb0f6cdbc3de625755719ae869016f89522765
Instruction ID: c0859d0d71e4a0baf4cd090c49350bfa6d17eae4362a205855d6893390faca8d
Opcode Fuzzy Hash: c954576040d16478f654056a87fb0f6cdbc3de625755719ae869016f89522765
Instruction Fuzzy Hash: C42124B19003499FCF10CFA9C984BEEBBF5FF48314F50882AE919A7640D7789954DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08A772DA, Relevance: 1.6, APIs: 1, Instructions: 64
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 08A7735E

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: c49eb3ee770a528ce54df98823d478d85ef38863fc372e5a1e36733061fb30d7
Instruction ID: 620f015a6313a2ab3c6eeac867fe21843d48ee96b884e5b102e6c07cc12e5ff4
Opcode Fuzzy Hash: c49eb3ee770a528ce54df98823d478d85ef38863fc372e5a1e36733061fb30d7
Instruction Fuzzy Hash: D8213AB5D003098FCB10CFA9C5857EEBBF4AF48224F54842AD919AB740DB789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08A77560, Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08A775E8

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7cb373ce713ab8c8edb68fce3d89c5c5cbea768a19f1ba2a3cf47d9577e15f83
Instruction ID: 23522bffdf854b1306bd769ed1412b43239408258ae8bf86db26bf2572ed3525
Opcode Fuzzy Hash: 7cb373ce713ab8c8edb68fce3d89c5c5cbea768a19f1ba2a3cf47d9577e15f83
Instruction Fuzzy Hash: D12105B1D002499FCB10CFA9C9847EEBBB5BF48224F54882AD518A7640D7799954DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08A772E0, Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 08A7735E

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f7f6af54d707ade031c001cfeb66a4dbae59cc2be9dd5643344741e6be2bc349
Instruction ID: 537bb3688f03951b2eccb7424340a25a7b39cd39969586a87f4358ea3e290d9e
Opcode Fuzzy Hash: f7f6af54d707ade031c001cfeb66a4dbae59cc2be9dd5643344741e6be2bc349
Instruction Fuzzy Hash: 262118B1D002098FDB10DFAAC4847EEBBF8EF48254F548429D919A7740DB78A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08A77568, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08A775E8

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 50b63d4959d858e194309c49f5599c3d8e75165daf1e9ceced783d3257d230c9
Instruction ID: d9b14b55c42cab6dbb0d9fc990d3311e808501f6248568a7675acd2b28f05e00
Opcode Fuzzy Hash: 50b63d4959d858e194309c49f5599c3d8e75165daf1e9ceced783d3257d230c9
Instruction Fuzzy Hash: CA2128B1C002499FCF10CFA9C880BEEBBF5FF48314F508429E518A7640D7789954DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0140C0F0, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0140C17F

Memory Dump Source

Source File: 0000000A.00000002.798747419.0000000001400000.00000040.00000001.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1400000_tKZVPq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0bbf48999b646a5a85f744878ad9a61cdd56d05332911ee4683645644c9ca188
Instruction ID: d818f8e1f2678bf6f7e91ed0baa3d9e4582b1f4ab245fe2a51adb92792e50697
Opcode Fuzzy Hash: 0bbf48999b646a5a85f744878ad9a61cdd56d05332911ee4683645644c9ca188
Instruction Fuzzy Hash: 9E21B3B5D00209DFDB10CFA9D584ADEBBF8FB48324F14852AE918A7350D378A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0140C0F8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0140C17F

Memory Dump Source

Source File: 0000000A.00000002.798747419.0000000001400000.00000040.00000001.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1400000_tKZVPq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d8385b6c49bec26bd1943c8d12becbc2a7afff309e8dc365c1666741706649bc
Instruction ID: 82007ad5d15044f6f0fa090111987bc7bfdff4786e17aefd8a8dad4f864a03b8
Opcode Fuzzy Hash: d8385b6c49bec26bd1943c8d12becbc2a7afff309e8dc365c1666741706649bc
Instruction Fuzzy Hash: 3421C6B5D00209DFDB10CFAAD584ADEBBF8FB48314F14852AE914A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01409AE8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0140A191,00000800,00000000,00000000), ref: 0140A3A2

Memory Dump Source

Source File: 0000000A.00000002.798747419.0000000001400000.00000040.00000001.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1400000_tKZVPq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1444e95974a7160ebb8f4730d1096f9e26bdd1a31aee9d284237bf3464590345
Instruction ID: 3a758196a0ac5817b2b53f1f6de97d12f7251c751276ff8804d5dcc80709189b
Opcode Fuzzy Hash: 1444e95974a7160ebb8f4730d1096f9e26bdd1a31aee9d284237bf3464590345
Instruction Fuzzy Hash: 601103B69003098FDB10CF9AD444BDEFBF8AB58314F14842AE915A7350C3B8A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08A773B0, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08A77426

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c76af5d1ce2b4aa8b8a6f001179d025d6a2dd38385951d10f09f813da81fa81c
Instruction ID: 9389aaf90f75ad418eb353d5e776c9f2a1421d96ca412d8949d6c7bb101a7d06
Opcode Fuzzy Hash: c76af5d1ce2b4aa8b8a6f001179d025d6a2dd38385951d10f09f813da81fa81c
Instruction Fuzzy Hash: 051189768002088FCF10CFE9C8447EEBBF9AF48324F14882AD519A7650CB799954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08A773B8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08A77426

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: da3ee51fded656605feacbab8cdb06272f898f45e222c58cb5b5fbd2676b2ef6
Instruction ID: e3f51f7669949bd4c096c3e47c43b7a7c5029f9cfb1db6c8c097c90eda7add7a
Opcode Fuzzy Hash: da3ee51fded656605feacbab8cdb06272f898f45e222c58cb5b5fbd2676b2ef6
Instruction Fuzzy Hash: E41126759002099FCF10DFE9C844BEEBBF9AF48324F148829D519A7650CB759954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0140A333, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0140A191,00000800,00000000,00000000), ref: 0140A3A2

Memory Dump Source

Source File: 0000000A.00000002.798747419.0000000001400000.00000040.00000001.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1400000_tKZVPq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 210871bf97c28088821589b9d1b8521dc1b3672e3538741b4b1d3b20359b3024
Instruction ID: 174916c80167e39dd68f66faa1891f59f33db46c2c0f67f0c08b16e8d3defdc7
Opcode Fuzzy Hash: 210871bf97c28088821589b9d1b8521dc1b3672e3538741b4b1d3b20359b3024
Instruction Fuzzy Hash: FB1114B69003498FDB14CFAAD444BDEFBF8AF98310F14842AD915A7740C3B8A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08A77228, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08A77292

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: af3f03a17407609509de3a5e460e0b250b96ec7967977d2509623ed6a6b4becb
Instruction ID: 09243a5c91fc35234c09e977c96bffa32cd06779f6323a79664e03ea85897c85
Opcode Fuzzy Hash: af3f03a17407609509de3a5e460e0b250b96ec7967977d2509623ed6a6b4becb
Instruction Fuzzy Hash: C01158B5D002098FDB10DFE9C5447EEBBF9AF48224F24882AC529B7740DB799945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08A77230, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08A77292

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 290a128a783d5b6d5a0f3e4de4bebb3ad3ee7d2389c15650ddc78ff78461bb24
Instruction ID: 3f8901a4374a41e9dc0624805be0aa56e34b256326162b8ae8d76213a9129690
Opcode Fuzzy Hash: 290a128a783d5b6d5a0f3e4de4bebb3ad3ee7d2389c15650ddc78ff78461bb24
Instruction Fuzzy Hash: 2F110AB1D042498FDB10DFAAC4447EFFBF9AF48224F148829D519A7740DB79A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0140A0B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0140A116

Memory Dump Source

Source File: 0000000A.00000002.798747419.0000000001400000.00000040.00000001.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1400000_tKZVPq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 810ca41b6d03ae5983ca01b5309f357036d727a77f55ced725357bdb5a95275f
Instruction ID: 7da821b1d34d78a2b25fb1d3fc02c1fcb13c7ffa8038a91c82343ca1cbbae5d6
Opcode Fuzzy Hash: 810ca41b6d03ae5983ca01b5309f357036d727a77f55ced725357bdb5a95275f
Instruction Fuzzy Hash: 1C110FB5C003498FDB10CF9AC444BDEFBF8AB88224F24842AD529B7750D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08A79DB0, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08A79E15

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6ddcfe499b4de840226f0a2ceea650e5495befff4acd505656567fbd3e708c07
Instruction ID: 2d15a957f8bfbcba948c075a89d3f61a911bab2dd5d6db7d773fb8d5360cd4ca
Opcode Fuzzy Hash: 6ddcfe499b4de840226f0a2ceea650e5495befff4acd505656567fbd3e708c07
Instruction Fuzzy Hash: 6B11F2B58002498FCB10CF99D984BDEBBF8FB48324F14842AD558A7700D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08A79DB8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08A79E15

Memory Dump Source

Source File: 0000000A.00000002.804132090.0000000008A70000.00000040.00000001.sdmp, Offset: 08A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8a70000_tKZVPq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d081f2e7da2d5d35bda7f2618741e5760a19ce6d14a809597f215a7e5dc59f91
Instruction ID: 4cde7002a48f8c2537dafbb5353ad143fa534d0c534ced95853eee3d27f36e20
Opcode Fuzzy Hash: d081f2e7da2d5d35bda7f2618741e5760a19ce6d14a809597f215a7e5dc59f91
Instruction Fuzzy Hash: AC11C2B58003499FDB10DF99D984BDEBBF8FB48324F14841AD554A7700D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013AD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.798580965.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13ad000_tKZVPq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9852933b093ce52029f14a6c77dece139803dd1ee9de4a3fc3ba500bf6aaf48
Instruction ID: 80fb28080f4b79bcb25005812462870b8cae8ab62febb5ede855f76878f5cfb0
Opcode Fuzzy Hash: a9852933b093ce52029f14a6c77dece139803dd1ee9de4a3fc3ba500bf6aaf48
Instruction Fuzzy Hash: F4213471544204DFCB11CFA4D8C4B26BBA9FB88358F60C969E80A4FB46C73AD847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013AD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.798580965.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13ad000_tKZVPq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3352643328cbeb29338111153fdf9c76a051b388debac7c43bae171f1b1e79be
Instruction ID: f35473e0032bdfe226e6a548ce1c700ab7cb491c925033e6f3b786c87892d70a
Opcode Fuzzy Hash: 3352643328cbeb29338111153fdf9c76a051b388debac7c43bae171f1b1e79be
Instruction Fuzzy Hash: 3D212975504204DFDB05CF94D9C4B2ABBA9FB8432CF64C96DE8094BB42C73AD846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013AD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.798580965.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13ad000_tKZVPq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bd06c66196a66e8da304e5eca9a60bc1fb39d758ccafa4ed05a898ff35ea23
Instruction ID: 98e848422aa2827ea34ff4660236438e38a52f0d4e8af306471df8e6580a40bd
Opcode Fuzzy Hash: f1bd06c66196a66e8da304e5eca9a60bc1fb39d758ccafa4ed05a898ff35ea23
Instruction Fuzzy Hash: AD2162755483809FCB03CF64D994B11BF71EF46214F28C5DAD8858F6A7C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 013AD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.798580965.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13ad000_tKZVPq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2a8cfca3367af31ed8fccdba65c6857044cb1be902d9aeec9971aaaa20cc2e
Instruction ID: 9c495f1ec1de08cdf89e93b07d7c117c8d5963d0fec4105754af4ad7287eca75
Opcode Fuzzy Hash: ad2a8cfca3367af31ed8fccdba65c6857044cb1be902d9aeec9971aaaa20cc2e
Instruction Fuzzy Hash: 19118B75504280DFDB12CF54D5C4B15BBB1FB84228F28C6AAD8494BA96C33AD45ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report order - 922 - LongWay..exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 0154BEC0, Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Function 0154BED0, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 075E76F6, Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 075E7700, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 01549ED0, Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Function 01545554, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 01543E30, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 075E7560, Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 075E7470, Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 075E7478, Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 075E72DA, Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 0154C0F0, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 075E7568, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 075E72E0, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre