Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.39649730.16343.2439

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.39649730.16343.2439 (renamed file extension from 2439 to exe)
Analysis ID:626423
MD5:351a6ff6c8aef2f1f3fcc9cd8c0dfd8e
SHA1:86b49c51155b6e3997a45e0ad1adef77722d4f6e
SHA256:6099e48acdfc2f116c21d55e3aff1a1b7bc0d4c5841ee5506f762cd66935ca2e
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "v.saniuk@ibc.by", "Password": "QWErty654321", "Host": "webmail.active.by"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000004.00000002.510960801.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32d6f:$s10: logins
                • 0x327d6:$s11: credential
                • 0x2ed99:$g1: get_Clipboard
                • 0x2eda7:$g2: get_Keyboard
                • 0x2edb4:$g3: get_Password
                • 0x300af:$g4: get_CtrlKeyDown
                • 0x300bf:$g5: get_ShiftKeyDown
                • 0x300d0:$g6: get_AltKeyDown
                4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 32 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "v.saniuk@ibc.by", "Password": "QWErty654321", "Host": "webmail.active.by"}
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeVirustotal: Detection: 33%Perma Link
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeReversingLabs: Detection: 43%
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeJoe Sandbox ML: detected
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: AssemblyAlgorithmIdAttrib.pdb source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: Joe Sandbox ViewIP Address: 185.47.152.61 185.47.152.61
                    Source: global trafficTCP traffic: 192.168.2.3:49745 -> 185.47.152.61:587
                    Source: global trafficTCP traffic: 192.168.2.3:49745 -> 185.47.152.61:587
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://WuEWlY.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/RapidSSLTLSDVRSAMixedSHA2562
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crt0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoot
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl0F
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://webmail.active.by
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.252248930.0000000005351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.288764673.0000000005340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.288764673.0000000005340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu3
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259518998.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259130181.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259303763.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260320170.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259791661.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259701206.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259471979.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259344901.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259609928.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259911250.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259056672.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259200492.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259281371.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260182995.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259547743.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259577319.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259756828.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259947152.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260104307.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.258994813.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260143045.000000000537D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr&
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krFT
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kry
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTFp
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krl
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://SF7VJVWyAkXSzaT8.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://SF7VJVWyAkXSzaT8.com8
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/rpa-ua0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: webmail.active.by

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeJump to behavior
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06140A00 SetWindowsHookExW 0000000D,00000000,?,?4_2_06140A00
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.282397564.00000000007CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.35eec28.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b013FCCA8u002d334Bu002d42A6u002d860Cu002d0A2952AECF4Du007d/u00349CD056Cu002d0F9Eu002d4C46u002dB528u002d409690A756E9.csLarge array initialization: .cctor: array initializer size 11653
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b013FCCA8u002d334Bu002d42A6u002d860Cu002d0A2952AECF4Du007d/u00349CD056Cu002d0F9Eu002d4C46u002dB528u002d409690A756E9.csLarge array initialization: .cctor: array initializer size 11653
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b013FCCA8u002d334Bu002d42A6u002d860Cu002d0A2952AECF4Du007d/u00349CD056Cu002d0F9Eu002d4C46u002dB528u002d409690A756E9.csLarge array initialization: .cctor: array initializer size 11653
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b013FCCA8u002d334Bu002d42A6u002d860Cu002d0A2952AECF4Du007d/u00349CD056Cu002d0F9Eu002d4C46u002dB528u002d409690A756E9.csLarge array initialization: .cctor: array initializer size 11653
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.35eec28.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE43580_2_00AE4358
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE40A90_2_00AE40A9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE40B80_2_00AE40B8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE43480_2_00AE4348
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E058C00_2_06E058C0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E054980_2_06E05498
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E0549D0_2_06E0549D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E000400_2_06E00040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E000070_2_06E00007
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E06A080_2_06E06A08
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E06A100_2_06E06A10
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E06A140_2_06E06A14
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E06A180_2_06E06A18
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E058B00_2_06E058B0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E058B50_2_06E058B5
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082AA1D00_2_082AA1D0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A00270_2_082A0027
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A00400_2_082A0040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A00470_2_082A0047
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A241C0_2_082A241C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0153F6F84_2_0153F6F8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0153FA404_2_0153FA40
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_015368E04_2_015368E0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_061448504_2_06144850
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0614A4004_2_0614A400
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068384F84_2_068384F8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683C3884_2_0683C388
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683A8204_2_0683A820
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683B0704_2_0683B070
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06831D284_2_06831D28
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068333304_2_06833330
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.282397564.00000000007CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.281942975.0000000000138000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAssemblyAlgorithmIdAttrib.exe6 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIkjHJGXBvmBwCsuTExjaqdeEkQFeYXMasbly.exe4 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289942459.0000000006E10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIkjHJGXBvmBwCsuTExjaqdeEkQFeYXMasbly.exe4 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.286449493.00000000035EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIkjHJGXBvmBwCsuTExjaqdeEkQFeYXMasbly.exe4 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000000.270549680.0000000000D58000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAssemblyAlgorithmIdAttrib.exe6 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.512519059.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIkjHJGXBvmBwCsuTExjaqdeEkQFeYXMasbly.exe4 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeBinary or memory string: OriginalFilenameAssemblyAlgorithmIdAttrib.exe6 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeVirustotal: Detection: 33%
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeReversingLabs: Detection: 43%
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.7.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.7.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.3.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.3.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: AssemblyAlgorithmIdAttrib.pdb source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.7.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.3.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.0.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.9.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.1.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AEA234 push esp; retf 0_2_00AEA235
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE8D7E push esp; retf 0_2_00AE8D7F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE914C push esp; retf 0_2_00AE914D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE973B push esp; retf 0_2_00AE973C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE9BF5 push esp; retf 0_2_00AE9BF6
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A35CC pushfd ; retf 0_2_082A35CF
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A3610 push esp; retf 0_2_082A3617
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0614E340 push es; ret 4_2_0614E350
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683178F push es; ret 4_2_068318C4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683179B push es; ret 4_2_068318C4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068317EB push es; ret 4_2_068318C4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06831753 push es; ret 4_2_068318C4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06833330 push es; iretd 4_2_068340B0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068340B1 push es; iretd 4_2_06834148
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068318E5 push es; ret 4_2_06831910
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06831817 push es; ret 4_2_068318C4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683181B push es; ret 4_2_068318C4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06831867 push es; ret 4_2_068318C4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068341D9 push es; iretd 4_2_068341E0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06834149 push es; iretd 4_2_068341D8
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.76001062943
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 3692, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe TID: 5956Thread sleep time: -45733s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe TID: 2196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe TID: 2200Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe TID: 5000Thread sleep count: 3204 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe TID: 5000Thread sleep count: 5632 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWindow / User API: threadDelayed 3204Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWindow / User API: threadDelayed 5632Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeThread delayed: delay time: 45733Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllervices\Tcpip\Parameters|NumForwardPacketsPMTUBHDetectEnabled
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06837E48 LdrInitializeThunk,4_2_06837E48
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 0.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.7.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.3.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.0.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.9.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.1.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.35eec28.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.510960801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.273600180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.274625372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286449493.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 3692, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 2560, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: Yara matchFile source: 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 2560, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.35eec28.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.510960801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.273600180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.274625372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286449493.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 3692, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 2560, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception111
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Native API                    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		211
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol211
                    Input Capture                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common2
                    Obfuscated Files or Information                    		Cached Domain Credentials114
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe33%VirustotalBrowse
                    SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe44%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.goodfont.co.kry0%Avira URL Cloudsafe
                    http://www.sandoll.co.krN.TTFp0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://WuEWlY.com0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.sandoll.co.krl0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.fontbureau.comoitu30%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.goodfont.co.krFT0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://SF7VJVWyAkXSzaT8.com0%Avira URL Cloudsafe
                    http://www.goodfont.co.kr&0%Avira URL Cloudsafe
                    http://www.fontbureau.com=0%Avira URL Cloudsafe
                    https://SF7VJVWyAkXSzaT8.com80%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    webmail.active.by
                    		185.47.152.61
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.252248930.0000000005351000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krySecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sandoll.co.krN.TTFpSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/?SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://WuEWlY.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krlSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.tiro.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://webmail.active.bySecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.typography.netDSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comoitu3SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.288764673.0000000005340000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259518998.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259130181.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259303763.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260320170.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259791661.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259701206.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259471979.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259344901.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259609928.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259911250.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259056672.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259200492.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259281371.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260182995.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259547743.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259577319.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259756828.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259947152.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260104307.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.258994813.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260143045.000000000537D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp//SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krFTSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fonts.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://SF7VJVWyAkXSzaT8.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.goodfont.co.kr&SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.fontbureau.com=SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.288764673.0000000005340000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            https://SF7VJVWyAkXSzaT8.com8SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            185.47.152.61
                                            		webmail.active.byBelarus
                                            		202090ACTIVECLOUD-BY-ASBYfalse

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:626423
                                            Start date and time: 14/05/202200:37:322022-05-14 00:37:32 +02:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 8m 58s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:SecuriteInfo.com.Trojan.GenericKD.39649730.16343.2439 (renamed file extension from 2439 to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:29
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@3/2@2/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 1.3% (good quality ratio 1.1%)
                                            • Quality average: 65.1%
                                            • Quality standard deviation: 39.4%
                                            HCA Information:
                                            • Successful, ratio: 96%
                                            • Number of executed functions: 31
                                            • Number of non-executed functions: 17
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI

                                            Warnings

                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            00:38:43API Interceptor735x Sleep call for process: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            185.47.152.61scanned copy(01).exeGet hashmaliciousBrowse
                                              Payment Schedule.exe.exeGet hashmaliciousBrowse
                                                PO FOR SPEED MARKS PVT LIMITED DOCUMENTS.exeGet hashmaliciousBrowse
                                                  SecuriteInfo.com.Trojan.YakbeexMSIL.ZZ4.3348.exeGet hashmaliciousBrowse
                                                    Po__04022021.exeGet hashmaliciousBrowse
                                                      INVOICE.exeGet hashmaliciousBrowse
                                                        PO11-031176.exeGet hashmaliciousBrowse
                                                          INVOICE532919.exeGet hashmaliciousBrowse
                                                            Invoice copy.img.scan.jpeg.exeGet hashmaliciousBrowse
                                                              invoice copy.exeGet hashmaliciousBrowse
                                                                HBL-COPY.eml.exeGet hashmaliciousBrowse
                                                                  cancelled order details.XLs.bit.exeGet hashmaliciousBrowse
                                                                    Payment Notification.exeGet hashmaliciousBrowse
                                                                      Payment Transfer Slip.exeGet hashmaliciousBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        webmail.active.byscanned copy(01).exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        MST-DOCUMENT(1).psi.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        Payment Schedule.exe.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        PO FOR SPEED MARKS PVT LIMITED DOCUMENTS.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        SecuriteInfo.com.Trojan.YakbeexMSIL.ZZ4.3348.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        Po__04022021.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        INVOICE.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        PO11-031176.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        INVOICE532919.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        Invoice copy.img.scan.jpeg.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        invoice copy.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        HBL-COPY.eml.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        cancelled order details.XLs.bit.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        Payment Notification.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        Payment Transfer Slip.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        ACTIVECLOUD-BY-ASBYscanned copy(01).exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        Payment Schedule.exe.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        PO FOR SPEED MARKS PVT LIMITED DOCUMENTS.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        SecuriteInfo.com.Trojan.YakbeexMSIL.ZZ4.3348.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        Po__04022021.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        INVOICE.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        PO11-031176.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        INVOICE532919.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        Invoice copy.img.scan.jpeg.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        invoice copy.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        HBL-COPY.eml.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        cancelled order details.XLs.bit.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        Payment Notification.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61
                                                                        Payment Transfer Slip.exeGet hashmaliciousBrowse
                                                                        • 185.47.152.61

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1308
                                                                        Entropy (8bit):5.345811588615766
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                        MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                        SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                        SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                        SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                        Malicious:true
                                                                        Reputation:high, very likely benign file
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                        C:\Users\user\AppData\Roaming\dexqxm4g.x3e\Chrome\Default\Cookies

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                        Category:dropped
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):0.6970840431455908
                                                                        Encrypted:false
                                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.751594485393351
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                                                        File size:675840
                                                                        MD5:351a6ff6c8aef2f1f3fcc9cd8c0dfd8e
                                                                        SHA1:86b49c51155b6e3997a45e0ad1adef77722d4f6e
                                                                        SHA256:6099e48acdfc2f116c21d55e3aff1a1b7bc0d4c5841ee5506f762cd66935ca2e
                                                                        SHA512:c4f7c6857b511e50ada9fcc4ccd149a39dce2903f8e58ab38126794847f264ba9069c4de64a46a9f5065ba3781b1a61380a653799d3cd31aca57220c4b2853e6
                                                                        SSDEEP:12288:s/RR9cMw+idI0lWyrzmdcRURevzuVKane+jQ+oEvf7p97QbW:4qAOzlZemuVBne3Zap
                                                                        TLSH:8BE4F17DF2E78E63CB2522B6C0EB590403A05A5BD673E3AA2B4151E54D03BD39D42BC7
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~b..............0..H...........f... ........@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:00828e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4a660e
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x627E0DE1 [Fri May 13 07:50:57 2022 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa65c00x4b.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x3bc.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xaa0000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xa655f0x1c.text
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000xa46140xa4800False0.872511101349SysEx File -7.76001062943IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xa80000x3bc0x400False0.380859375data3.02433380393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xaa0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_VERSION0xa80580x364data

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyrightCopyright 2017
                                                                        Assembly Version1.0.0.0
                                                                        InternalNameAssemblyAlgorithmIdAttrib.exe
                                                                        FileVersion1.0.0.0
                                                                        CompanyName
                                                                        LegalTrademarks
                                                                        Comments
                                                                        ProductNameResetEvent
                                                                        ProductVersion1.0.0.0
                                                                        FileDescriptionResetEvent
                                                                        OriginalFilenameAssemblyAlgorithmIdAttrib.exe

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 14, 2022 00:38:59.679438114 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:38:59.746223927 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:38:59.746365070 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:38:59.813838005 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:38:59.814126968 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:38:59.881165981 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:38:59.881213903 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:38:59.881433010 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:38:59.956746101 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.032051086 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.096976995 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.097007990 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.097033978 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.097047091 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.097119093 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.097150087 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.103696108 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.171617985 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.242981911 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.307900906 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.308996916 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.373702049 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.381966114 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.487729073 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.568512917 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.570369959 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.635299921 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.635354996 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.636518955 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.701631069 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.705959082 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.779897928 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.782213926 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.782655954 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.783776999 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.784034014 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:00.847397089 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.848531961 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:00.848915100 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:01.067194939 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:01.125231028 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:01.125559092 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:01.997858047 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.062716007 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.062747002 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.062959909 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.063410044 CEST58749745185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.063486099 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.074456930 CEST49745587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.128956079 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.194772959 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.194957018 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.261580944 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.261873960 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.328174114 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.328217030 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.328465939 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.404619932 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.405039072 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.470732927 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.470784903 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.470824003 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.470853090 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.470880985 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.470935106 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.472127914 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.540873051 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.542937994 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.608890057 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.609313011 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.675415039 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.675900936 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.785697937 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.895184040 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.895605087 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:02.961004019 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.961025953 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:02.961328030 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:03.026959896 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:03.027287960 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:03.101412058 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:03.103316069 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:03.103444099 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:03.103621960 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:03.103800058 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:03.103874922 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:03.103952885 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:03.104023933 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:03.104096889 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:39:03.168987989 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:03.169133902 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:03.169300079 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:03.169759989 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:39:03.259846926 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:40:39.611948013 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:40:39.677751064 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:40:39.677792072 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:40:39.677942991 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:40:39.678169012 CEST49746587192.168.2.3185.47.152.61
                                                                        May 14, 2022 00:40:39.678837061 CEST58749746185.47.152.61192.168.2.3
                                                                        May 14, 2022 00:40:39.678900957 CEST49746587192.168.2.3185.47.152.61

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 14, 2022 00:38:59.641088963 CEST4931653192.168.2.38.8.8.8
                                                                        May 14, 2022 00:38:59.660692930 CEST53493168.8.8.8192.168.2.3
                                                                        May 14, 2022 00:39:02.108280897 CEST5641753192.168.2.38.8.8.8
                                                                        May 14, 2022 00:39:02.127830029 CEST53564178.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        May 14, 2022 00:38:59.641088963 CEST192.168.2.38.8.8.80x9f7dStandard query (0)webmail.active.byA (IP address)IN (0x0001)
                                                                        May 14, 2022 00:39:02.108280897 CEST192.168.2.38.8.8.80xfb9dStandard query (0)webmail.active.byA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        May 14, 2022 00:38:59.660692930 CEST8.8.8.8192.168.2.30x9f7dNo error (0)webmail.active.by185.47.152.61A (IP address)IN (0x0001)
                                                                        May 14, 2022 00:39:02.127830029 CEST8.8.8.8192.168.2.30xfb9dNo error (0)webmail.active.by185.47.152.61A (IP address)IN (0x0001)

                                                                        SMTP Packets

                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                        May 14, 2022 00:38:59.813838005 CEST58749745185.47.152.61192.168.2.3220 webmail.active.by ESMTP Exim
                                                                        May 14, 2022 00:38:59.814126968 CEST49745587192.168.2.3185.47.152.61EHLO 760639
                                                                        May 14, 2022 00:38:59.881213903 CEST58749745185.47.152.61192.168.2.3250-webmail.active.by Hello 760639 [84.17.52.36]
                                                                        250-SIZE 52428800
                                                                        250-8BITMIME
                                                                        250-PIPELINING
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-STARTTLS
                                                                        250 HELP
                                                                        May 14, 2022 00:38:59.881433010 CEST49745587192.168.2.3185.47.152.61STARTTLS
                                                                        May 14, 2022 00:38:59.956746101 CEST58749745185.47.152.61192.168.2.3220 TLS go ahead
                                                                        May 14, 2022 00:39:02.261580944 CEST58749746185.47.152.61192.168.2.3220 webmail.active.by ESMTP Exim
                                                                        May 14, 2022 00:39:02.261873960 CEST49746587192.168.2.3185.47.152.61EHLO 760639
                                                                        May 14, 2022 00:39:02.328217030 CEST58749746185.47.152.61192.168.2.3250-webmail.active.by Hello 760639 [84.17.52.36]
                                                                        250-SIZE 52428800
                                                                        250-8BITMIME
                                                                        250-PIPELINING
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-STARTTLS
                                                                        250 HELP
                                                                        May 14, 2022 00:39:02.328465939 CEST49746587192.168.2.3185.47.152.61STARTTLS
                                                                        May 14, 2022 00:39:02.404619932 CEST58749746185.47.152.61192.168.2.3220 TLS go ahead

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:00:38:33
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe"
                                                                        Imagebase:0x90000
                                                                        File size:675840 bytes
                                                                        MD5 hash:351A6FF6C8AEF2F1F3FCC9CD8C0DFD8E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.286449493.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.286449493.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:4
                                                                        Start time:00:38:45
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                                                        Imagebase:0xcb0000
                                                                        File size:675840 bytes
                                                                        MD5 hash:351A6FF6C8AEF2F1F3FCC9CD8C0DFD8E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.510960801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.510960801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.273600180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.273600180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.274625372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.274625372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:9.5%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:177
                                                                          Total number of Limit Nodes:19
                                                                          execution_graph 19124 6e0e660 19125 6e0e6a0 VirtualAllocEx 19124->19125 19127 6e0e6dd 19125->19127 19128 82a93a8 19129 82a9533 19128->19129 19131 82a93ce 19128->19131 19131->19129 19133 aec180 SetWindowLongW 19131->19133 19135 82a695c 19131->19135 19134 aec1ec 19133->19134 19134->19131 19136 82a9628 PostMessageW 19135->19136 19137 82a9694 19136->19137 19137->19131 19138 aebee8 19141 aebf38 19138->19141 19142 aebfa0 CreateWindowExW 19141->19142 19144 aec05c 19142->19144 19149 ae3f98 19150 ae3fb2 19149->19150 19162 ae5568 19150->19162 19151 ae3fc0 19155 ae376c 19151->19155 19156 ae3777 19155->19156 19157 ae5568 CreateActCtxA 19156->19157 19158 ae836e 19157->19158 19166 ae8668 19158->19166 19171 ae865a 19158->19171 19159 ae8392 19163 ae5578 19162->19163 19164 ae5588 19163->19164 19198 ae5650 19163->19198 19164->19151 19167 ae867f 19166->19167 19176 ae86a0 19167->19176 19181 ae86b0 19167->19181 19168 ae868f 19168->19159 19172 ae867f 19171->19172 19174 ae86a0 CreateActCtxA 19172->19174 19175 ae86b0 CreateActCtxA 19172->19175 19173 ae868f 19173->19159 19174->19173 19175->19173 19177 ae86c7 19176->19177 19178 ae86fb 19177->19178 19186 ae873a 19177->19186 19192 ae8748 19177->19192 19178->19168 19182 ae86c7 19181->19182 19183 ae86fb 19182->19183 19184 ae873a CreateActCtxA 19182->19184 19185 ae8748 CreateActCtxA 19182->19185 19183->19168 19184->19183 19185->19183 19187 ae8758 19186->19187 19188 ae5568 CreateActCtxA 19187->19188 19189 ae8768 19188->19189 19190 ae5568 CreateActCtxA 19189->19190 19191 ae8783 19190->19191 19191->19178 19193 ae8758 19192->19193 19194 ae5568 CreateActCtxA 19193->19194 19195 ae8768 19194->19195 19196 ae5568 CreateActCtxA 19195->19196 19197 ae8783 19196->19197 19197->19178 19199 ae565f 19198->19199 19201 ae55f3 19198->19201 19204 ae5b50 19199->19204 19208 ae5b41 19199->19208 19205 ae5b77 19204->19205 19207 ae5c54 19205->19207 19213 ae3f78 19205->19213 19209 ae5ae3 19208->19209 19211 ae5b4f 19208->19211 19210 ae5c54 19210->19210 19211->19210 19212 ae3f78 CreateActCtxA 19211->19212 19212->19210 19214 ae6be0 CreateActCtxA 19213->19214 19216 ae6ca3 19214->19216 19216->19216 19217 82a7390 19218 82a73a5 19217->19218 19222 82a73c8 19218->19222 19226 82a73d8 19218->19226 19219 82a73bb 19223 82a73d2 19222->19223 19230 82a7a50 19223->19230 19229 82a73f2 19226->19229 19227 82a73fa 19227->19219 19228 82a7a50 5 API calls 19228->19227 19229->19228 19231 82a7a75 19230->19231 19252 82a812b 19231->19252 19257 82a835c 19231->19257 19261 82a82df 19231->19261 19267 82a7b65 19231->19267 19272 82a7da4 19231->19272 19276 82a8024 19231->19276 19280 82a80c7 19231->19280 19284 82a81a7 19231->19284 19289 82a84e1 19231->19289 19294 82a7e00 19231->19294 19297 82a7e82 19231->19297 19301 82a8462 19231->19301 19306 82a7f4d 19231->19306 19310 82a7c0f 19231->19310 19314 82a8269 19231->19314 19318 82a8109 19231->19318 19322 82a7ca8 19231->19322 19326 82a7beb 19231->19326 19330 82a7e4b 19231->19330 19232 82a73fa 19232->19219 19337 6e0e750 19252->19337 19253 82a7bf7 19254 82a842f 19253->19254 19333 82a9360 19253->19333 19258 82a7bf7 19257->19258 19259 82a842f 19258->19259 19260 82a9360 ResumeThread 19258->19260 19260->19258 19262 82a8629 19261->19262 19345 6e0e870 19262->19345 19263 82a7bf7 19264 82a842f 19263->19264 19266 82a9360 ResumeThread 19263->19266 19266->19263 19349 6e0ea68 19267->19349 19273 82a7bf7 19272->19273 19274 82a842f 19273->19274 19275 82a9360 ResumeThread 19273->19275 19275->19273 19277 82a7bf7 19276->19277 19277->19276 19278 82a842f 19277->19278 19279 82a9360 ResumeThread 19277->19279 19279->19277 19281 82a7bf7 19280->19281 19282 82a842f 19281->19282 19283 82a9360 ResumeThread 19281->19283 19283->19281 19287 6e0e750 WriteProcessMemory 19284->19287 19285 82a7bf7 19286 82a821c 19285->19286 19288 82a9360 ResumeThread 19285->19288 19287->19285 19288->19285 19290 82a84f1 19289->19290 19291 82a7bf7 19289->19291 19292 82a842f 19291->19292 19293 82a9360 ResumeThread 19291->19293 19293->19291 19353 82a9318 19294->19353 19298 82a7e8c 19297->19298 19300 6e0e750 WriteProcessMemory 19298->19300 19299 82a7ecc 19299->19232 19300->19299 19302 82a7ea8 19301->19302 19303 82a85a1 19302->19303 19305 6e0e750 WriteProcessMemory 19302->19305 19303->19232 19304 82a7ecc 19304->19232 19305->19304 19307 82a7bf7 19306->19307 19308 82a842f 19307->19308 19309 82a9360 ResumeThread 19307->19309 19309->19307 19311 82a7bf7 19310->19311 19312 82a842f 19311->19312 19313 82a9360 ResumeThread 19311->19313 19313->19311 19315 82a7bf7 19314->19315 19316 82a842f 19315->19316 19317 82a9360 ResumeThread 19315->19317 19317->19315 19319 82a7bf7 19318->19319 19320 82a842f 19319->19320 19321 82a9360 ResumeThread 19319->19321 19321->19319 19323 82a7bf7 19322->19323 19324 82a842f 19323->19324 19325 82a9360 ResumeThread 19323->19325 19325->19323 19327 82a7bf7 19326->19327 19328 82a842f 19327->19328 19329 82a9360 ResumeThread 19327->19329 19329->19327 19361 82a9118 19330->19361 19334 82a9375 19333->19334 19341 6e0e3e8 19334->19341 19338 6e0e798 WriteProcessMemory 19337->19338 19340 6e0e7ef 19338->19340 19340->19253 19342 6e0e428 ResumeThread 19341->19342 19344 6e0e459 19342->19344 19344->19253 19346 6e0e8bb ReadProcessMemory 19345->19346 19348 6e0e8ff 19346->19348 19348->19263 19350 6e0eaf1 CreateProcessA 19349->19350 19352 6e0ecb3 19350->19352 19354 82a932d 19353->19354 19357 6e0e4c8 19354->19357 19358 6e0e50d SetThreadContext 19357->19358 19360 6e0e555 19358->19360 19362 82a912d 19361->19362 19364 6e0e4c8 SetThreadContext 19362->19364 19363 82a7e63 19363->19232 19364->19363 19145 aee4f0 19146 aee532 19145->19146 19148 aee539 19145->19148 19147 aee58a CallWindowProcW 19146->19147 19146->19148 19147->19148

                                                                          Executed Functions

                                                                          Function 00AE4358 Relevance: 4.7, Strings: 3, Instructions: 989COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 ae4358-ae4379 1 ae437b 0->1 2 ae4380-ae4477 0->2 1->2 4 ae4b8f-ae4bb7 2->4 5 ae447d-ae45dc 2->5 8 ae52af-ae52b8 4->8 49 ae4b55-ae4b7f 5->49 50 ae45e2-ae463d 5->50 10 ae52be-ae52d5 8->10 11 ae4bc5-ae4bce 8->11 12 ae4bd5-ae4cc9 11->12 13 ae4bd0 11->13 32 ae4ccb-ae4cd7 12->32 33 ae4cf3 12->33 13->12 35 ae4cd9-ae4cdf 32->35 36 ae4ce1-ae4ce7 32->36 34 ae4cf9-ae4d19 33->34 40 ae4d1b-ae4d74 34->40 41 ae4d79-ae4df3 34->41 38 ae4cf1 35->38 36->38 38->34 55 ae52ac 40->55 63 ae4e4a-ae4e8d 41->63 64 ae4df5-ae4e48 41->64 61 ae4b8c-ae4b8d 49->61 62 ae4b81 49->62 56 ae463f 50->56 57 ae4642-ae464d 50->57 55->8 56->57 60 ae4a67-ae4a6d 57->60 65 ae4652-ae4670 60->65 66 ae4a73-ae4af0 60->66 61->4 62->61 87 ae4e98-ae4ea1 63->87 64->87 67 ae46c7-ae46dc 65->67 68 ae4672-ae4676 65->68 108 ae4b3f-ae4b45 66->108 72 ae46de 67->72 73 ae46e3-ae46f9 67->73 68->67 75 ae4678-ae4683 68->75 72->73 77 ae46fb 73->77 78 ae4700-ae4717 73->78 79 ae46b9-ae46bf 75->79 77->78 83 ae471e-ae4734 78->83 84 ae4719 78->84 81 ae4685-ae4689 79->81 82 ae46c1-ae46c2 79->82 88 ae468f-ae46a7 81->88 89 ae468b 81->89 86 ae4745-ae496b 82->86 90 ae473b-ae4742 83->90 91 ae4736 83->91 84->83 100 ae49cf-ae49e4 86->100 101 ae496d-ae4971 86->101 93 ae4f01-ae4f10 87->93 95 ae46ae-ae46b6 88->95 96 ae46a9 88->96 89->88 90->86 91->90 98 ae4f12-ae4f9a 93->98 99 ae4ea3-ae4ecb 93->99 95->79 96->95 133 ae511f-ae5128 98->133 102 ae4ecd 99->102 103 ae4ed2-ae4efb 99->103 106 ae49eb-ae4a0c 100->106 107 ae49e6 100->107 101->100 105 ae4973-ae4982 101->105 102->103 103->93 110 ae49c1-ae49c7 105->110 114 ae4a0e 106->114 115 ae4a13-ae4a32 106->115 107->106 112 ae4b47-ae4b4d 108->112 113 ae4af2-ae4b3c 108->113 119 ae49c9-ae49ca 110->119 120 ae4984-ae4988 110->120 112->49 113->108 114->115 117 ae4a39-ae4a59 115->117 118 ae4a34 115->118 123 ae4a5b 117->123 124 ae4a60 117->124 118->117 127 ae4a64 119->127 121 ae498a-ae498e 120->121 122 ae4992-ae49b3 120->122 121->122 129 ae49ba-ae49be 122->129 130 ae49b5 122->130 123->124 124->127 127->60 129->110 130->129 135 ae512e-ae5189 133->135 136 ae4f9f-ae4fb4 133->136 151 ae518b-ae51be 135->151 152 ae51c0-ae51ea 135->152 137 ae4fbd-ae5113 136->137 138 ae4fb6 136->138 153 ae5119 137->153 138->137 140 ae504d-ae508d 138->140 141 ae5008-ae5048 138->141 142 ae5092-ae50d2 138->142 143 ae4fc3-ae5003 138->143 140->153 141->153 142->153 143->153 160 ae51f3-ae5286 151->160 152->160 153->133 164 ae528d-ae52a5 160->164 164->55
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.283773580.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: NF?8$UUUU$eL62
                                                                          • API String ID: 0-4228688173
                                                                          • Opcode ID: 496bd1d3dce3a9ef51ca1d9fefbba552968361d0aa3f6d140d88115d79c5b03f
                                                                          • Instruction ID: c6ec995a9047c782f21a60ddd38b4ff70d9cba0b9b97d351cd05ad37735ea9ca
                                                                          • Opcode Fuzzy Hash: 496bd1d3dce3a9ef51ca1d9fefbba552968361d0aa3f6d140d88115d79c5b03f
                                                                          • Instruction Fuzzy Hash: B7A2D575A04228CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E058C0 Relevance: 2.2, Strings: 1, Instructions: 956COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 192 6e058c0-6e058e1 193 6e058e3 192->193 194 6e058e8-6e059dc 192->194 193->194 196 6e059e2-6e05b39 194->196 197 6e060e4-6e0610c 194->197 241 6e060b2-6e060e1 196->241 242 6e05b3f-6e05b9a 196->242 200 6e0676b-6e06774 197->200 201 6e0611a-6e06123 200->201 202 6e0677a-6e06791 200->202 205 6e06125 201->205 206 6e0612a-6e0620b 201->206 205->206 222 6e06211-6e0621e 206->222 223 6e06220-6e0622c 222->223 224 6e06248 222->224 226 6e06236-6e0623c 223->226 227 6e0622e-6e06234 223->227 228 6e0624e-6e0626e 224->228 230 6e06246 226->230 227->230 233 6e06270-6e062c9 228->233 234 6e062ce-6e06348 228->234 230->228 245 6e06768 233->245 252 6e0634a-6e0639d 234->252 253 6e0639f-6e063e2 234->253 241->197 250 6e05b9c 242->250 251 6e05b9f-6e05baa 242->251 245->200 250->251 254 6e05fc4-6e05fca 251->254 282 6e063ed-6e063f3 252->282 253->282 255 6e05fd0-6e0604d 254->255 256 6e05baf-6e05bcd 254->256 299 6e0609c-6e060a2 255->299 260 6e05c24-6e05c39 256->260 261 6e05bcf-6e05bd3 256->261 263 6e05c40-6e05c56 260->263 264 6e05c3b 260->264 261->260 265 6e05bd5-6e05be0 261->265 268 6e05c58 263->268 269 6e05c5d-6e05c74 263->269 264->263 266 6e05c16-6e05c1c 265->266 272 6e05be2-6e05be6 266->272 273 6e05c1e-6e05c1f 266->273 268->269 274 6e05c76 269->274 275 6e05c7b-6e05c91 269->275 277 6e05be8 272->277 278 6e05bec-6e05c04 272->278 281 6e05ca2-6e05ec8 273->281 274->275 279 6e05c93 275->279 280 6e05c98-6e05c9f 275->280 277->278 283 6e05c06 278->283 284 6e05c0b-6e05c13 278->284 279->280 280->281 290 6e05eca-6e05ece 281->290 291 6e05f2c-6e05f41 281->291 286 6e0644a-6e06456 282->286 283->284 284->266 287 6e063f5-6e06417 286->287 288 6e06458-6e064e0 286->288 293 6e06419 287->293 294 6e0641e-6e06447 287->294 324 6e06617-6e06620 288->324 290->291 298 6e05ed0-6e05edf 290->298 295 6e05f43 291->295 296 6e05f48-6e05f69 291->296 293->294 294->286 295->296 302 6e05f70-6e05f8f 296->302 303 6e05f6b 296->303 304 6e05f1e-6e05f24 298->304 300 6e060a4-6e060aa 299->300 301 6e0604f-6e06099 299->301 300->241 301->299 309 6e05f91 302->309 310 6e05f96-6e05fb6 302->310 303->302 306 6e05ee1-6e05ee5 304->306 307 6e05f26-6e05f27 304->307 313 6e05ee7-6e05eeb 306->313 314 6e05eef-6e05f10 306->314 312 6e05fc1 307->312 309->310 315 6e05fb8 310->315 316 6e05fbd 310->316 312->254 313->314 319 6e05f12 314->319 320 6e05f17-6e05f1b 314->320 315->316 316->312 319->320 320->304 325 6e064e5-6e064fa 324->325 326 6e06626-6e06672 324->326 327 6e06503-6e0660b 325->327 328 6e064fc 325->328 335 6e06674-6e06698 326->335 336 6e0669a-6e066b5 326->336 342 6e06611 327->342 328->327 330 6e06575-6e065a6 328->330 331 6e065a8-6e065d9 328->331 332 6e06509-6e0653a 328->332 333 6e0653f-6e06570 328->333 330->342 331->342 332->342 333->342 338 6e066be-6e06761 335->338 336->338 338->245 342->324
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: UUUU
                                                                          • API String ID: 0-1798160573
                                                                          • Opcode ID: d8d7cc5c1d02b3b48d1890df439ef9d52dd9cc174978dc04992c9c866f703658
                                                                          • Instruction ID: b8788ffa77a1e0cb2a20725d72e13e7d5e30f6205b1e59ff90e37fc9016937ef
                                                                          • Opcode Fuzzy Hash: d8d7cc5c1d02b3b48d1890df439ef9d52dd9cc174978dc04992c9c866f703658
                                                                          • Instruction Fuzzy Hash: 63A2C575A00228CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB365DB319E91CF40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 082AA1D0 Relevance: .3, Instructions: 342COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.290320880.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82a0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7d155dbc93369a4f82c5c16881d8bd2a3c529ca75ac9c7841b2edaa977189c46
                                                                          • Instruction ID: e022d4c8569634053e1deb2274f4b5bfc6bd988797b02ac9080d9ce9d5059ffa
                                                                          • Opcode Fuzzy Hash: 7d155dbc93369a4f82c5c16881d8bd2a3c529ca75ac9c7841b2edaa977189c46
                                                                          • Instruction Fuzzy Hash: 31C1CC71B106118FEB19EB76C460B6EB7E7AF88705F1044AED146DB3A1CB35E902CB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E0EA68 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 656 6e0ea68-6e0eafd 658 6e0eb36-6e0eb56 656->658 659 6e0eaff-6e0eb09 656->659 666 6e0eb58-6e0eb62 658->666 667 6e0eb8f-6e0ebbe 658->667 659->658 660 6e0eb0b-6e0eb0d 659->660 661 6e0eb30-6e0eb33 660->661 662 6e0eb0f-6e0eb19 660->662 661->658 664 6e0eb1b 662->664 665 6e0eb1d-6e0eb2c 662->665 664->665 665->665 668 6e0eb2e 665->668 666->667 669 6e0eb64-6e0eb66 666->669 673 6e0ebc0-6e0ebca 667->673 674 6e0ebf7-6e0ecb1 CreateProcessA 667->674 668->661 671 6e0eb68-6e0eb72 669->671 672 6e0eb89-6e0eb8c 669->672 675 6e0eb74 671->675 676 6e0eb76-6e0eb85 671->676 672->667 673->674 678 6e0ebcc-6e0ebce 673->678 687 6e0ecb3-6e0ecb9 674->687 688 6e0ecba-6e0ed40 674->688 675->676 676->676 677 6e0eb87 676->677 677->672 679 6e0ebd0-6e0ebda 678->679 680 6e0ebf1-6e0ebf4 678->680 682 6e0ebdc 679->682 683 6e0ebde-6e0ebed 679->683 680->674 682->683 683->683 685 6e0ebef 683->685 685->680 687->688 698 6e0ed50-6e0ed54 688->698 699 6e0ed42-6e0ed46 688->699 701 6e0ed64-6e0ed68 698->701 702 6e0ed56-6e0ed5a 698->702 699->698 700 6e0ed48 699->700 700->698 704 6e0ed78-6e0ed7c 701->704 705 6e0ed6a-6e0ed6e 701->705 702->701 703 6e0ed5c 702->703 703->701 707 6e0ed8e-6e0ed95 704->707 708 6e0ed7e-6e0ed84 704->708 705->704 706 6e0ed70 705->706 706->704 709 6e0ed97-6e0eda6 707->709 710 6e0edac 707->710 708->707 709->710
                                                                          APIs
                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E0EC9E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: ef09ff856ab3f147936893b010feaf37c9c049c8861dc7f700add190300c45cd
                                                                          • Instruction ID: 2af46ba45a83c372aa60e0491cb22a4760771d4a809667ec99426d8b2694d1e5
                                                                          • Opcode Fuzzy Hash: ef09ff856ab3f147936893b010feaf37c9c049c8861dc7f700add190300c45cd
                                                                          • Instruction Fuzzy Hash: 88916B71D003198FEB60CF64C8817EDBBB2FF48318F1489A9D859A7284DB749985CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AE6BD6 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 712 ae6bd6-ae6bd9 713 ae6b6e-ae6ba1 712->713 714 ae6bdb-ae6ca1 CreateActCtxA 712->714 716 ae6baa-ae6bcb 713->716 717 ae6ba3-ae6ba9 713->717 719 ae6caa-ae6d04 714->719 720 ae6ca3-ae6ca9 714->720 717->716 728 ae6d06-ae6d09 719->728 729 ae6d13-ae6d17 719->729 720->719 728->729 730 ae6d28 729->730 731 ae6d19-ae6d25 729->731 732 ae6d29 730->732 731->730 732->732
                                                                          APIs
                                                                          • CreateActCtxA.KERNEL32(?), ref: 00AE6C91
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.283773580.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 76dfc2c293903c4c751982ce3fbaebc2b5d6fdd955aba8134603266c8cab323f
                                                                          • Instruction ID: 62301d5fffc8eba15ae1b7dbf052b421cc6fc77efba13d8303664b255d9e0f3e
                                                                          • Opcode Fuzzy Hash: 76dfc2c293903c4c751982ce3fbaebc2b5d6fdd955aba8134603266c8cab323f
                                                                          • Instruction Fuzzy Hash: B9511171C046588FDB20CFA9C884BDEBBB5FF99318F20846AD508AB251D774694ACF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AEBF38 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 734 aebf38-aebf9e 735 aebfa9-aebfb0 734->735 736 aebfa0-aebfa6 734->736 737 aebfbb-aec05a CreateWindowExW 735->737 738 aebfb2-aebfb8 735->738 736->735 740 aec05c-aec062 737->740 741 aec063-aec09b 737->741 738->737 740->741 745 aec09d-aec0a0 741->745 746 aec0a8 741->746 745->746
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00AEC04A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.283773580.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 04d701f90ab8a9261acb7e22a7dc5c4644943480913f7146faf50e30429a42ca
                                                                          • Instruction ID: 45794253a46e1becbb2f6774c30224185ea499939f8a2f5762aaee1f544bbb61
                                                                          • Opcode Fuzzy Hash: 04d701f90ab8a9261acb7e22a7dc5c4644943480913f7146faf50e30429a42ca
                                                                          • Instruction Fuzzy Hash: 2041C0B1D10349DFDF14CF9AC984ADEBBB5BF88314F24812AE819AB210D7749985CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AE3F78 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 747 ae3f78-ae6ca1 CreateActCtxA 750 ae6caa-ae6d04 747->750 751 ae6ca3-ae6ca9 747->751 758 ae6d06-ae6d09 750->758 759 ae6d13-ae6d17 750->759 751->750 758->759 760 ae6d28 759->760 761 ae6d19-ae6d25 759->761 762 ae6d29 760->762 761->760 762->762
                                                                          APIs
                                                                          • CreateActCtxA.KERNEL32(?), ref: 00AE6C91
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.283773580.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: ed2702714b4b0f73e2812f480e0a273a336f8fed7d1b0c222555e5c369607cd0
                                                                          • Instruction ID: 6cc99a9130b42222a0088b4030380c2da09566ac3c5f47369ab8b834806f6c13
                                                                          • Opcode Fuzzy Hash: ed2702714b4b0f73e2812f480e0a273a336f8fed7d1b0c222555e5c369607cd0
                                                                          • Instruction Fuzzy Hash: 9F41E170C0475CCBDB24DFAAC884B8DBBB5FF98308F24846AD408AB251DB756945CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AEE4F0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 764 aee4f0-aee52c 765 aee5dc-aee5fc 764->765 766 aee532-aee537 764->766 772 aee5ff-aee60c 765->772 767 aee58a-aee5c2 CallWindowProcW 766->767 768 aee539-aee570 766->768 770 aee5cb-aee5da 767->770 771 aee5c4-aee5ca 767->771 774 aee579-aee588 768->774 775 aee572-aee578 768->775 770->772 771->770 774->772 775->774
                                                                          APIs
                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 00AEE5B1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.283773580.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CallProcWindow
                                                                          • String ID:
                                                                          • API String ID: 2714655100-0
                                                                          • Opcode ID: 50dccd1529c5ad78c0a7d45a03dc22e6f3d8e856da6f7a153617c8972de72592
                                                                          • Instruction ID: 0394beaa324306d8a721eae3e1ed2b8395811334132b37d2dd467f95ff0fceed
                                                                          • Opcode Fuzzy Hash: 50dccd1529c5ad78c0a7d45a03dc22e6f3d8e856da6f7a153617c8972de72592
                                                                          • Instruction Fuzzy Hash: D54127B4A00345CFDB14CF99C488AAABBF5FB88318F24C459D519AB321D774E941CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E0E750 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 778 6e0e750-6e0e79e 780 6e0e7a0-6e0e7ac 778->780 781 6e0e7ae-6e0e7ed WriteProcessMemory 778->781 780->781 783 6e0e7f6-6e0e826 781->783 784 6e0e7ef-6e0e7f5 781->784 784->783
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E0E7E0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: b1c38ffd39135fea73e8b80692bb889c4a195934b7ad57c140333d5778b16a68
                                                                          • Instruction ID: 06aacc3475313e7b99cbe46133f4293849f82bb2fc45a0d93b595b5cec8fc491
                                                                          • Opcode Fuzzy Hash: b1c38ffd39135fea73e8b80692bb889c4a195934b7ad57c140333d5778b16a68
                                                                          • Instruction Fuzzy Hash: 242127719003599FDF50CFA9C8847DEBBF5FF48314F14882AE959A7241C7789994CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E0E4C8 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 788 6e0e4c8-6e0e513 790 6e0e523-6e0e553 SetThreadContext 788->790 791 6e0e515-6e0e521 788->791 793 6e0e555-6e0e55b 790->793 794 6e0e55c-6e0e58c 790->794 791->790 793->794
                                                                          APIs
                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 06E0E546
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThread
                                                                          • String ID:
                                                                          • API String ID: 1591575202-0
                                                                          • Opcode ID: 4339f11342af841f012b5a2b3240868ee8700462ad9669ac267f7180924f4b2d
                                                                          • Instruction ID: 833658a148d147b60566856d8e4ad6810a902a33107ab79e230d7e5b895f92c1
                                                                          • Opcode Fuzzy Hash: 4339f11342af841f012b5a2b3240868ee8700462ad9669ac267f7180924f4b2d
                                                                          • Instruction Fuzzy Hash: 2F213971D043099FDB50DFA9C4847EEBBF4AB48314F148429D559A7240DB78A985CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E0E870 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 798 6e0e870-6e0e8fd ReadProcessMemory 801 6e0e906-6e0e936 798->801 802 6e0e8ff-6e0e905 798->802 802->801
                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E0E8F0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1726664587-0
                                                                          • Opcode ID: 55dd66304a6c5f98a10045fda8fc7214b2234d373b36778c8338422878966abb
                                                                          • Instruction ID: 02742c0ccf24ee8aed072533a0f2a1ed99fbcf94a06d02b3a95538103fe27bf3
                                                                          • Opcode Fuzzy Hash: 55dd66304a6c5f98a10045fda8fc7214b2234d373b36778c8338422878966abb
                                                                          • Instruction Fuzzy Hash: F12128B1D043599FCF10CFA9C8846EEBBF5FF48314F50842AE959A7240C7789954CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E0E660 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 806 6e0e660-6e0e6db VirtualAllocEx 809 6e0e6e4-6e0e709 806->809 810 6e0e6dd-6e0e6e3 806->810 810->809
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E0E6CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 13184a43ee6ee311b0f57b099fbc3216dafbe31b036acf5aedb3d92356816930
                                                                          • Instruction ID: 707ca7e68931622652be3f1d59d26b68db940b9bc5423fc9cea9dcec8fc2c59f
                                                                          • Opcode Fuzzy Hash: 13184a43ee6ee311b0f57b099fbc3216dafbe31b036acf5aedb3d92356816930
                                                                          • Instruction Fuzzy Hash: 7B1167719042489FCF10CFA9D8447DFBBF5AF88324F10882AE525A7240CB75A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E0E3E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 814 6e0e3e8-6e0e457 ResumeThread 817 6e0e460-6e0e485 814->817 818 6e0e459-6e0e45f 814->818 818->817
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 7dd45614c78e26d26d70ecd5994e600637ea9a255c7f7d73a884c60be75b2d07
                                                                          • Instruction ID: 9c099ac7928aacafa567905c7897a78a50c03846c266a8fe42d06e273534098c
                                                                          • Opcode Fuzzy Hash: 7dd45614c78e26d26d70ecd5994e600637ea9a255c7f7d73a884c60be75b2d07
                                                                          • Instruction Fuzzy Hash: 90113AB1D043499FDB10DFAAC8447DEFBF5AB88328F148829D515A7240CB74A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 082A695C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 822 82a695c-82a9692 PostMessageW 824 82a969b-82a96af 822->824 825 82a9694-82a969a 822->825 825->824
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 082A9685
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.290320880.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82a0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: 005a4818a5822a695d3b4a470ef68b23050fbeedf784314160cbd24e1bc1bb4c
                                                                          • Instruction ID: e323c2b74ee7ca1a11492b5f4c00942ec22f81a1a2451ba3b28e56dcf7cf65c4
                                                                          • Opcode Fuzzy Hash: 005a4818a5822a695d3b4a470ef68b23050fbeedf784314160cbd24e1bc1bb4c
                                                                          • Instruction Fuzzy Hash: 5D11F5B58003499FDB10CF9AC584BDEBBF8EF48324F108819E964A7600C375A994CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AEC180 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,?,?), ref: 00AEC1DD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.283773580.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: a661a81a3928cbc874f6b25548fecaabf343fb463da7281637bf12e0933e4ae4
                                                                          • Instruction ID: 0d09f3ed36769c0e00e5a47a6dac96199d6499b29142fe0f909a9094d32b0470
                                                                          • Opcode Fuzzy Hash: a661a81a3928cbc874f6b25548fecaabf343fb463da7281637bf12e0933e4ae4
                                                                          • Instruction Fuzzy Hash: 6F11E2B59002499FDB10CF9AD584BDEFBF8FB88324F10851AE955A7701C374AA45CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 082A241C Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.290320880.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82a0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: UUUU
                                                                          • API String ID: 0-1798160573
                                                                          • Opcode ID: 9a154064006ebd2e4c1e87c2beea748c6bdebb17c560834026764c141a64bd5e
                                                                          • Instruction ID: ceb874c08296aff91c0c0e19e5a4333658753eff82797d5c6c2bab472b5da459
                                                                          • Opcode Fuzzy Hash: 9a154064006ebd2e4c1e87c2beea748c6bdebb17c560834026764c141a64bd5e
                                                                          • Instruction Fuzzy Hash: F8515E70E116288FDB64CFA8D984BCDBBF1BF48314F5486AAD518F7205D7349A868F10
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E00007 Relevance: .3, Instructions: 294COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cda731adbc5381b9cb9550826ff88ac968aaec34d6d179b6a4874ab49d2c790a
                                                                          • Instruction ID: 6ee980af81d031cf16dfc074664c3be953f4fdeb5180dae30898c9774a513d7d
                                                                          • Opcode Fuzzy Hash: cda731adbc5381b9cb9550826ff88ac968aaec34d6d179b6a4874ab49d2c790a
                                                                          • Instruction Fuzzy Hash: 63E13831C20B5A8FDB51EF64C850A9DB7B1EFA5300F51979AD0097B221EB70AAC4CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E00040 Relevance: .3, Instructions: 264COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1fb84f12eaed25321873d5da0c228179f8f9ce6fa5cc3ee25c8a862d392bfc5e
                                                                          • Instruction ID: 23059f80cb4f527d3d6a8f3ec531ec85ce0b7cf486c36c88ac622c0b677de865
                                                                          • Opcode Fuzzy Hash: 1fb84f12eaed25321873d5da0c228179f8f9ce6fa5cc3ee25c8a862d392bfc5e
                                                                          • Instruction Fuzzy Hash: F3D12931C10B5A8BDB51EF64C950AADB7B1FFA5300F51D79AD0093B225EB70AAC4CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AE4348 Relevance: .3, Instructions: 259COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.283773580.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bc861c04b8f5c98962a9e69445daabd7cd8682cfb3b589786d58c347f9cd41c7
                                                                          • Instruction ID: 592acdc977b55c72bb3bcb9bcb8a3e67774ebad8810cbd382285f51d0ec6539f
                                                                          • Opcode Fuzzy Hash: bc861c04b8f5c98962a9e69445daabd7cd8682cfb3b589786d58c347f9cd41c7
                                                                          • Instruction Fuzzy Hash: EDC17775E016188FDB58CF6AC984AD9BBF2AF89300F14C1A9D409AB365DB319E81CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E058B0 Relevance: .2, Instructions: 243COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 30d62bdfd12ae9f1c2bbd4f62aab4fbf63c1bf4088b5809fb237fb42e140cff8
                                                                          • Instruction ID: 611958ec0de17c102e1ac2cbfae717cc5caa7815e3037d67852c28a90e2b188c
                                                                          • Opcode Fuzzy Hash: 30d62bdfd12ae9f1c2bbd4f62aab4fbf63c1bf4088b5809fb237fb42e140cff8
                                                                          • Instruction Fuzzy Hash: 38C17475E01658CFDB58CF6AC944AD9BBF2AF89304F15C1EAD809AB364DB305A81CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E058B5 Relevance: .2, Instructions: 242COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 893f47840163f6c39de2f5c2ec5fa410b109d1224126901bbfea672b13811897
                                                                          • Instruction ID: 2c4091c2856fd5199a2d47fb8286d4fbc2c8392ff962b92ec03e280cdbecbeaa
                                                                          • Opcode Fuzzy Hash: 893f47840163f6c39de2f5c2ec5fa410b109d1224126901bbfea672b13811897
                                                                          • Instruction Fuzzy Hash: 6BC17575E01618CFDB58CF6AC944AD9BBF2AF89304F15C1EAD909AB364DB305A81CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AE40A9 Relevance: .2, Instructions: 171COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.283773580.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c08ab0b46680e147a82eaa92053145251005b9d61816261462870e10525e91ff
                                                                          • Instruction ID: 485d2fc28fd7d89df995efde50c29f2b232aed21bc7a5f33e55602f7427e0d99
                                                                          • Opcode Fuzzy Hash: c08ab0b46680e147a82eaa92053145251005b9d61816261462870e10525e91ff
                                                                          • Instruction Fuzzy Hash: 73616BB0A052458FD789DF6AE8416AA7BF3EBC4304F04D439D105AF668EF705946CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E05498 Relevance: .2, Instructions: 160COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 24d82327e4f70cdeb756862330d143806c25a8eb9c1a9023ac2fd98f51b07acf
                                                                          • Instruction ID: 91f8ffc473fc9b4d29acf55d2cb593e1a02c2fc85f3047e037c016eed7184c4b
                                                                          • Opcode Fuzzy Hash: 24d82327e4f70cdeb756862330d143806c25a8eb9c1a9023ac2fd98f51b07acf
                                                                          • Instruction Fuzzy Hash: 21613871A04648DFD748EF7AE94068A7BF3EF88308F04C53AD115AB268EF7859468F51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AE40B8 Relevance: .2, Instructions: 160COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.283773580.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 868c095bb60b5d30090504e125e75260613aacb30e4538c1efd5d8103b34a735
                                                                          • Instruction ID: c6e0a9b3b071b758b85ed562952263c1e2b9abc0229e228645a73a378bb26e87
                                                                          • Opcode Fuzzy Hash: 868c095bb60b5d30090504e125e75260613aacb30e4538c1efd5d8103b34a735
                                                                          • Instruction Fuzzy Hash: 3F612AB0A052448FD788EF6AE9416AABBF3EBC4304F04D439D105AF668EF715946CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E0549D Relevance: .2, Instructions: 158COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ec5af495baa7b5ae7da2e2bd2d3571285f87912ba29e3f82e461758418fb6a8f
                                                                          • Instruction ID: d9e0b685df814adc367c4aef4c72672990933bd3a51424ae641de3247d6e072e
                                                                          • Opcode Fuzzy Hash: ec5af495baa7b5ae7da2e2bd2d3571285f87912ba29e3f82e461758418fb6a8f
                                                                          • Instruction Fuzzy Hash: 42612871A04648DFD748EF7AE94068A7BF3EF88308F04C53AD115AB268EF7859468F51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 082A0040 Relevance: .1, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.290320880.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82a0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a9e3d4a8fd57521986dec334f096bc8548ba08c4079ff58d6c74dc84b49b07c5
                                                                          • Instruction ID: 26a3af88e705bf1603c7ad40093c7da7881f7f7a48ac0b850369a6750b6a0957
                                                                          • Opcode Fuzzy Hash: a9e3d4a8fd57521986dec334f096bc8548ba08c4079ff58d6c74dc84b49b07c5
                                                                          • Instruction Fuzzy Hash: B8414AB1D11A198BEB6CCF6BCD4479AFAF3AFC8301F14C1BA891CAA255DB7405958F01
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E06A18 Relevance: .1, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a7600aa380c511867ff6c960f267fcfaac6f37b020f1b7075de3b538a9b52ef5
                                                                          • Instruction ID: 1c46a3f6f338f02c19c7a0f64603b478be0d894cbdce6c5f598f9b351c1b09cc
                                                                          • Opcode Fuzzy Hash: a7600aa380c511867ff6c960f267fcfaac6f37b020f1b7075de3b538a9b52ef5
                                                                          • Instruction Fuzzy Hash: C94151B1E056188BEB6CCF6B8C4078AFAF3AFC8300F14C1BA990DA7254DB3109958E11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 082A0027 Relevance: .1, Instructions: 100COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.290320880.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82a0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8d6031fe451c64e50da143400f478e7052032ac0a96a15c90d5b1bc194784978
                                                                          • Instruction ID: 147bc7c94d86336ef78a512481bd5cf12ffc577d8893ad195dbbdcc96c220e61
                                                                          • Opcode Fuzzy Hash: 8d6031fe451c64e50da143400f478e7052032ac0a96a15c90d5b1bc194784978
                                                                          • Instruction Fuzzy Hash: D1414471E05A588FEB5CCF6B9D4079AFAF3AFC9200F18C1BAC41DAA215DB3505958F11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E06A08 Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b90eb17dffd3e7fb538e4a813505d7b8505b7725a25bd1b2661ceed53b28d97e
                                                                          • Instruction ID: 43fd1941e8e43dcf22099e7205d33aee8f579ba0a5e91e7a5cbbeb77cb2208ca
                                                                          • Opcode Fuzzy Hash: b90eb17dffd3e7fb538e4a813505d7b8505b7725a25bd1b2661ceed53b28d97e
                                                                          • Instruction Fuzzy Hash: 504103B1E056588BEB6CCF6B8D4079AFBF3AFC8200F14C1BA950DAA254DB3145968E11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E06A10 Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e02c70a51a1a7f6ff01fe25ff678e51796cdee3d3b7db4e4fcd7d2054678f26d
                                                                          • Instruction ID: 744808cdb77d888b7169140845e2cf39b087514f1980a91bf80137df7ac7c4f0
                                                                          • Opcode Fuzzy Hash: e02c70a51a1a7f6ff01fe25ff678e51796cdee3d3b7db4e4fcd7d2054678f26d
                                                                          • Instruction Fuzzy Hash: 8041F4B1E056588BEB5CCF6B8D40799FBF3AFC9300F14C1BA950DAA254DB3145968F11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06E06A14 Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.289917294.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_6e00000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e822c82edf8765ed2ecb534c7408b4048cbdb1005db756ea75fc0f60b1d19597
                                                                          • Instruction ID: 17ed4b8e8e1f81be7d1a23fa518bc62e49e9bae58212d0cef3d5d1f2c4322061
                                                                          • Opcode Fuzzy Hash: e822c82edf8765ed2ecb534c7408b4048cbdb1005db756ea75fc0f60b1d19597
                                                                          • Instruction Fuzzy Hash: B24105B1E056588BEB5CCF6B8D4078AFAF3AFC8300F14C1BA940DAA254DB3149968F11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 082A0047 Relevance: .1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.290320880.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82a0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a04362744774a97f00e352acf63a3aa01b652106475d8af421e730009e7f7759
                                                                          • Instruction ID: e6e490715b0ccaa558324e8f1418e2138f2d924277e3b91e30345e531debbb77
                                                                          • Opcode Fuzzy Hash: a04362744774a97f00e352acf63a3aa01b652106475d8af421e730009e7f7759
                                                                          • Instruction Fuzzy Hash: E941F571E05A588BEB5CCF6B8D4079EFAF3AFC8200F14C1BAC51CAA215DB3505958F15
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Execution Graph

                                                                          Execution Coverage:11.7%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:5.6%
                                                                          Total number of Nodes:125
                                                                          Total number of Limit Nodes:4
                                                                          execution_graph 36561 153b850 36562 153b86e 36561->36562 36565 153b42c 36562->36565 36564 153b8a5 36566 153d370 LoadLibraryA 36565->36566 36568 153d44c 36566->36568 36569 1530850 36570 153085d 36569->36570 36574 6144738 36570->36574 36578 6144748 36570->36578 36575 6144757 36574->36575 36582 6143b84 36575->36582 36579 6144757 36578->36579 36580 6143b84 LoadLibraryExW 36579->36580 36581 1530875 36580->36581 36583 6143b8f 36582->36583 36586 6144850 36583->36586 36585 6144c56 36585->36585 36587 614485b 36586->36587 36588 61454ad 36587->36588 36590 61468b0 36587->36590 36588->36585 36591 61468d1 36590->36591 36592 61468f5 36591->36592 36595 6146a60 36591->36595 36599 6146a4f 36591->36599 36592->36588 36597 6146a6d 36595->36597 36596 6146aa6 36596->36592 36597->36596 36603 6144f7c 36597->36603 36600 6146a60 36599->36600 36601 6146aa6 36600->36601 36602 6144f7c LoadLibraryExW 36600->36602 36601->36592 36602->36601 36604 6144f87 36603->36604 36606 6146b18 36604->36606 36607 6144fb0 36604->36607 36606->36606 36608 6144fbb 36607->36608 36614 6144fc0 36608->36614 36610 6146b87 36618 614b638 36610->36618 36624 614b620 36610->36624 36611 6146bc0 36611->36606 36617 6144fcb 36614->36617 36615 61472bc 36615->36610 36616 61468b0 LoadLibraryExW 36616->36615 36617->36615 36617->36616 36620 614b669 36618->36620 36621 614b6b5 36618->36621 36619 614b675 36619->36611 36620->36619 36629 614b890 36620->36629 36633 614b8a0 36620->36633 36621->36611 36625 614b638 36624->36625 36626 614b675 36625->36626 36627 614b890 LoadLibraryExW 36625->36627 36628 614b8a0 LoadLibraryExW 36625->36628 36626->36611 36627->36626 36628->36626 36630 614b8a0 36629->36630 36636 614b8d1 36630->36636 36631 614b8aa 36631->36621 36635 614b8d1 LoadLibraryExW 36633->36635 36634 614b8aa 36634->36621 36635->36634 36637 614b8f3 36636->36637 36638 614b903 36637->36638 36639 614c190 LoadLibraryExW 36637->36639 36640 614c180 LoadLibraryExW 36637->36640 36638->36631 36639->36638 36640->36638 36653 683fa10 36654 683fa18 36653->36654 36658 683fa28 36654->36658 36663 683fa38 36654->36663 36655 683fa21 36659 683fa38 36658->36659 36660 683fa53 36659->36660 36668 683fa81 36659->36668 36671 683fa88 OleInitialize 36659->36671 36660->36655 36664 683fa43 36663->36664 36665 683fa53 36664->36665 36666 683fa81 OleInitialize 36664->36666 36667 683fa88 OleInitialize 36664->36667 36665->36655 36666->36665 36667->36665 36669 683fa88 OleInitialize 36668->36669 36670 683faec 36669->36670 36670->36660 36672 683faec 36671->36672 36672->36660 36673 15348f0 36674 1534904 36673->36674 36677 1534b3a 36674->36677 36683 1534c10 36677->36683 36687 1534d1c 36677->36687 36691 1534d36 36677->36691 36695 1534c20 36677->36695 36684 1534c20 36683->36684 36685 1534d5b 36684->36685 36699 1535018 36684->36699 36688 1534ccf 36687->36688 36688->36687 36689 1534d5b 36688->36689 36690 1535018 2 API calls 36688->36690 36690->36689 36692 1534d49 36691->36692 36693 1534d5b 36691->36693 36694 1535018 2 API calls 36692->36694 36694->36693 36696 1534c64 36695->36696 36697 1534d5b 36696->36697 36698 1535018 2 API calls 36696->36698 36698->36697 36700 1535036 36699->36700 36704 1535078 36700->36704 36708 1535068 36700->36708 36701 1535046 36701->36685 36705 15350b2 36704->36705 36706 15350dc RtlEncodePointer 36705->36706 36707 1535105 36705->36707 36706->36707 36707->36701 36709 1535078 36708->36709 36710 15350dc RtlEncodePointer 36709->36710 36711 1535105 36709->36711 36710->36711 36711->36701 36641 6141c10 36642 6141c2a 36641->36642 36644 6141c6e 36642->36644 36645 6140a00 36642->36645 36648 6141e00 SetWindowsHookExW 36645->36648 36647 6141e8a 36647->36642 36648->36647 36649 6837e48 36650 6837e67 36649->36650 36651 6837e9b LdrInitializeThunk 36650->36651 36652 6837eb8 36651->36652 36712 683fb28 36713 683fb3d 36712->36713 36714 683fb63 36713->36714 36717 683fbd0 36713->36717 36720 683fbc4 36713->36720 36718 683fc2a OleGetClipboard 36717->36718 36719 683fc6a 36718->36719 36719->36719 36721 683fc2a OleGetClipboard 36720->36721 36722 683fc6a 36721->36722 36722->36722

                                                                          Executed Functions

                                                                          Function 06837E48 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 762 6837e48-6837eb2 call 6835bd8 call 6835ce8 LdrInitializeThunk 772 6837ffb-6838018 762->772 773 6837eb8-6837ed2 762->773 785 683801d-6838026 772->785 773->772 776 6837ed8-6837ef2 773->776 780 6837ef4-6837ef6 776->780 781 6837ef8 776->781 782 6837efb-6837f56 call 6835760 780->782 781->782 792 6837f58-6837f5a 782->792 793 6837f5c 782->793 794 6837f5f-6837ff9 call 6835760 792->794 793->794 794->785
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.516423330.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_6830000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 7dc4bcb98b8f18faa7031ec9cadfb30be32d6abeab9f30110c82b15a25f2b54e
                                                                          • Instruction ID: 827f85686660599546d4e5aa6dce2b5787c104e87fb74db6cba4563aac40fa37
                                                                          • Opcode Fuzzy Hash: 7dc4bcb98b8f18faa7031ec9cadfb30be32d6abeab9f30110c82b15a25f2b54e
                                                                          • Instruction Fuzzy Hash: 0F51B470B003069FCB54EFB4D884AAEB7E6BF94204F158929E512DF355DF30D8488BA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06140A00 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1502 6140a00-6141e4a 1505 6141e56-6141e88 SetWindowsHookExW 1502->1505 1506 6141e4c-6141e54 1502->1506 1507 6141e91-6141eb1 1505->1507 1508 6141e8a-6141e90 1505->1508 1506->1505 1508->1507
                                                                          APIs
                                                                          • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 06141E7B
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.515845563.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_6140000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: HookWindows
                                                                          • String ID:
                                                                          • API String ID: 2559412058-0
                                                                          • Opcode ID: 0268bcabc3ab6c23e77fab916c2ea5f269da2a5999d8ec656dfdda8f11b1a081
                                                                          • Instruction ID: 99ca3805e93d3dab5dbaac281234c6642d6698a843fe56922d9fd24a0394dc7e
                                                                          • Opcode Fuzzy Hash: 0268bcabc3ab6c23e77fab916c2ea5f269da2a5999d8ec656dfdda8f11b1a081
                                                                          • Instruction Fuzzy Hash: 942138B5D042099FCB54DF9AD884BEEFBF5EB98314F108429E419B7650C774A944CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06837DEB Relevance: 1.7, APIs: 1, Instructions: 176libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 705 6837deb-6837e07 706 6837e09-6837e13 705->706 707 6837e2c-6837e7f call 6835bd8 call 6835ce8 705->707 708 6837e15-6837e26 706->708 709 6837e28-6837e2b 706->709 719 6837e87-6837e8d 707->719 708->709 720 6837e94 719->720 721 6837e9b-6837eb2 LdrInitializeThunk 720->721 722 6837ffb-6838018 721->722 723 6837eb8-6837ed2 721->723 735 683801d-6838026 722->735 723->722 726 6837ed8-6837ef2 723->726 730 6837ef4-6837ef6 726->730 731 6837ef8 726->731 732 6837efb-6837f56 call 6835760 730->732 731->732 742 6837f58-6837f5a 732->742 743 6837f5c 732->743 744 6837f5f-6837ff9 call 6835760 742->744 743->744 744->735
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.516423330.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_6830000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: d84bdfa9756b972b13f185f36fe2d3507627b452c3d781c7756edcf3acba59c7
                                                                          • Instruction ID: 6e4b01e7aec600d0dbb7336f6c66e5a890f029352d285cccbe15ad410a5269c5
                                                                          • Opcode Fuzzy Hash: d84bdfa9756b972b13f185f36fe2d3507627b452c3d781c7756edcf3acba59c7
                                                                          • Instruction Fuzzy Hash: 1051C030A003469FCB54ABB4D844AAEBBF6BF95304F14896AE512DB355DB30D9088BA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0153D364 Relevance: 1.6, APIs: 1, Instructions: 92libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 812 153d364-153d3c7 813 153d400-153d44a LoadLibraryA 812->813 814 153d3c9-153d3d3 812->814 821 153d453-153d484 813->821 822 153d44c-153d452 813->822 814->813 815 153d3d5-153d3d7 814->815 816 153d3fa-153d3fd 815->816 817 153d3d9-153d3e3 815->817 816->813 819 153d3e7-153d3f6 817->819 820 153d3e5 817->820 819->819 824 153d3f8 819->824 820->819 825 153d486-153d48a 821->825 826 153d494 821->826 822->821 824->816 825->826 828 153d48c 825->828 829 153d495 826->829 828->826 829->829
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(?), ref: 0153D43A
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.513294033.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_1530000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 74c5df6591e11429eca2dbb80d5c7671b112d3922f20cfdfd7b7d9fecef9bc9d
                                                                          • Instruction ID: 23082630cee3da7f3d1a5c15002873ea815298d5de157b207390c98dcd98ae64
                                                                          • Opcode Fuzzy Hash: 74c5df6591e11429eca2dbb80d5c7671b112d3922f20cfdfd7b7d9fecef9bc9d
                                                                          • Instruction Fuzzy Hash: 8A3102B0D002499FDB14CFE9D8857DEBBB1BB48314F548529E815AB280D7B49886CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0153B42C Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 830 153b42c-153d3c7 832 153d400-153d44a LoadLibraryA 830->832 833 153d3c9-153d3d3 830->833 840 153d453-153d484 832->840 841 153d44c-153d452 832->841 833->832 834 153d3d5-153d3d7 833->834 835 153d3fa-153d3fd 834->835 836 153d3d9-153d3e3 834->836 835->832 838 153d3e7-153d3f6 836->838 839 153d3e5 836->839 838->838 843 153d3f8 838->843 839->838 844 153d486-153d48a 840->844 845 153d494 840->845 841->840 843->835 844->845 847 153d48c 844->847 848 153d495 845->848 847->845 848->848
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(?), ref: 0153D43A
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.513294033.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_1530000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: b1514baa5cb37c955af3523028745a7d05cb09bbcae0f5910dd200f55064d7c1
                                                                          • Instruction ID: a0383a2d16d6244f4b6cd4698aaa8b5a355e6b2496f1445c362fbb402fdc4c11
                                                                          • Opcode Fuzzy Hash: b1514baa5cb37c955af3523028745a7d05cb09bbcae0f5910dd200f55064d7c1
                                                                          • Instruction Fuzzy Hash: 5E3132B0D002498FDB14CFE9C8847DEFBF1BB48314F548529E815AB280D7B4A885CB95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0683FBC4 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1468 683fbc4-683fc68 OleGetClipboard 1470 683fc71-683fcbf 1468->1470 1471 683fc6a-683fc70 1468->1471 1476 683fcc1-683fcc5 1470->1476 1477 683fccf 1470->1477 1471->1470 1476->1477 1478 683fcc7 1476->1478 1479 683fcd0 1477->1479 1478->1477 1479->1479
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.516423330.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_6830000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard
                                                                          • String ID:
                                                                          • API String ID: 220874293-0
                                                                          • Opcode ID: adecb0d8a5786d80f9e0a98d8d16465dc8c7a20594d279bf1a798a7e3751f290
                                                                          • Instruction ID: c4079be290fae560632e78a745dc01538b157c2e6f644c6bbbe0186365b2e46c
                                                                          • Opcode Fuzzy Hash: adecb0d8a5786d80f9e0a98d8d16465dc8c7a20594d279bf1a798a7e3751f290
                                                                          • Instruction Fuzzy Hash: C33134B0D05258DFDB50CF99C984BCEBBF1AF48318F148019E904BB390DB74998ACBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0683FBD0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1480 683fbd0-683fc68 OleGetClipboard 1482 683fc71-683fcbf 1480->1482 1483 683fc6a-683fc70 1480->1483 1488 683fcc1-683fcc5 1482->1488 1489 683fccf 1482->1489 1483->1482 1488->1489 1490 683fcc7 1488->1490 1491 683fcd0 1489->1491 1490->1489 1491->1491
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.516423330.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_6830000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard
                                                                          • String ID:
                                                                          • API String ID: 220874293-0
                                                                          • Opcode ID: 101c2770877589cccffce62bc79ff6f99496c1f9918e499c5722988e5097172d
                                                                          • Instruction ID: 0ba12fc7be0e26903ace6060a03afc740aa020953df1e971d4f00700b422325c
                                                                          • Opcode Fuzzy Hash: 101c2770877589cccffce62bc79ff6f99496c1f9918e499c5722988e5097172d
                                                                          • Instruction Fuzzy Hash: 363106B0D05218DFDB54CF99C584BCEBBF5AF48318F148059E504BB394DB74A986CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06141DF8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1492 6141df8-6141e4a 1495 6141e56-6141e88 SetWindowsHookExW 1492->1495 1496 6141e4c-6141e54 1492->1496 1497 6141e91-6141eb1 1495->1497 1498 6141e8a-6141e90 1495->1498 1496->1495 1498->1497
                                                                          APIs
                                                                          • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 06141E7B
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.515845563.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_6140000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: HookWindows
                                                                          • String ID:
                                                                          • API String ID: 2559412058-0
                                                                          • Opcode ID: 089806bac87fe979c81d7640d563d67494b62ff03966aaa585c35c9fa82aee84
                                                                          • Instruction ID: 17d08ccd7ad7dea82f38a85461fcdaf3b7eb5be39d57b2223448c85a4332a5a0
                                                                          • Opcode Fuzzy Hash: 089806bac87fe979c81d7640d563d67494b62ff03966aaa585c35c9fa82aee84
                                                                          • Instruction Fuzzy Hash: 062157B5D042099FCB50CF9AD884BEEFBF5BF88320F00841AE418A3240CB74A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01535068 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1512 1535068-15350ba 1516 15350c0 1512->1516 1517 15350bc-15350be 1512->1517 1518 15350c5-15350d0 1516->1518 1517->1518 1519 15350d2-1535103 RtlEncodePointer 1518->1519 1520 1535131-153513e 1518->1520 1522 1535105-153510b 1519->1522 1523 153510c-153512c 1519->1523 1522->1523 1523->1520
                                                                          APIs
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 015350F2
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.513294033.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_1530000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: EncodePointer
                                                                          • String ID:
                                                                          • API String ID: 2118026453-0
                                                                          • Opcode ID: 01627da98d3cacaf3c8417db6035cf47caa203985dec4c5ee9b5a7be928e2f1e
                                                                          • Instruction ID: 3b31c8bfe63e2936c9501ab2dba40381bf763d92ec95250b276ec528478e04de
                                                                          • Opcode Fuzzy Hash: 01627da98d3cacaf3c8417db6035cf47caa203985dec4c5ee9b5a7be928e2f1e
                                                                          • Instruction Fuzzy Hash: C121CA71D0034A9FCB20CFA9C9497DEBBF8FB4A324F148429D644A7201D77A9554CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0614C1E8 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1525 614c1e8-614c230 1527 614c232-614c235 1525->1527 1528 614c238-614c267 LoadLibraryExW 1525->1528 1527->1528 1529 614c270-614c28d 1528->1529 1530 614c269-614c26f 1528->1530 1530->1529
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,0614C1C9,00000800), ref: 0614C25A
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.515845563.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_6140000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 2df9b0e4b4ddb7de25a73bd066e00900c5be284cc95ebd30d2b52851e71a8541
                                                                          • Instruction ID: c1be9af167e174ad282b64e65be4ece821a6f9d0e9be7543c66e24b327eb3deb
                                                                          • Opcode Fuzzy Hash: 2df9b0e4b4ddb7de25a73bd066e00900c5be284cc95ebd30d2b52851e71a8541
                                                                          • Instruction Fuzzy Hash: 6E1144B2D002098FCB10CFEAD444ADEFBF4EB88324F04842AE415A7200C7B8A585CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0614BD80 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1533 614bd80-614c230 1535 614c232-614c235 1533->1535 1536 614c238-614c267 LoadLibraryExW 1533->1536 1535->1536 1537 614c270-614c28d 1536->1537 1538 614c269-614c26f 1536->1538 1538->1537
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,0614C1C9,00000800), ref: 0614C25A
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.515845563.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_6140000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 7b7405da081f7fd45c94ec0ab84333d333946d1e9b41c414d4bbb91595c74eee
                                                                          • Instruction ID: fd629d20331748299316ebd2e646a0781447892506d889f3c318bfedaffd8252
                                                                          • Opcode Fuzzy Hash: 7b7405da081f7fd45c94ec0ab84333d333946d1e9b41c414d4bbb91595c74eee
                                                                          • Instruction Fuzzy Hash: F211F2B2D042099FCB10DFAAC544A9EFBF4AB88324F10842AE915B7200C7B8A545CFA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01535078 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1541 1535078-15350ba 1544 15350c0 1541->1544 1545 15350bc-15350be 1541->1545 1546 15350c5-15350d0 1544->1546 1545->1546 1547 15350d2-1535103 RtlEncodePointer 1546->1547 1548 1535131-153513e 1546->1548 1550 1535105-153510b 1547->1550 1551 153510c-153512c 1547->1551 1550->1551 1551->1548
                                                                          APIs
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 015350F2
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.513294033.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_1530000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: EncodePointer
                                                                          • String ID:
                                                                          • API String ID: 2118026453-0
                                                                          • Opcode ID: 737e35e84f41bf65d134a92f6b0db108051d88554a264041021fa35d31d03b85
                                                                          • Instruction ID: 5ec2dbbbbb193139cd1b8b8f2aed7c04554d1f45e643cb6b4e99729d63f5029f
                                                                          • Opcode Fuzzy Hash: 737e35e84f41bf65d134a92f6b0db108051d88554a264041021fa35d31d03b85
                                                                          • Instruction Fuzzy Hash: A211BE71D0034A8FCB20CFA9C9487DEBBF4FB45324F108829D604A7641DB7AA554CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0683FA81 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1553 683fa81-683faea OleInitialize 1555 683faf3-683fb10 1553->1555 1556 683faec-683faf2 1553->1556 1556->1555
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.516423330.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_6830000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize
                                                                          • String ID:
                                                                          • API String ID: 2538663250-0
                                                                          • Opcode ID: ab43110b5e37f0ced495b07afc5a71afeddf2d3850c796fa786ccb6a77e12a37
                                                                          • Instruction ID: 85747e346168705825c47aea7ce26898921bc5100ce17d0f63cadfbcfa8e90ba
                                                                          • Opcode Fuzzy Hash: ab43110b5e37f0ced495b07afc5a71afeddf2d3850c796fa786ccb6a77e12a37
                                                                          • Instruction Fuzzy Hash: E81106B1D043099FCB10DF99D544BDEFBF4EB48324F148459D619A7200D774A984CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0683FA88 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1559 683fa88-683faea OleInitialize 1560 683faf3-683fb10 1559->1560 1561 683faec-683faf2 1559->1561 1561->1560
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.516423330.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_6830000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize
                                                                          • String ID:
                                                                          • API String ID: 2538663250-0
                                                                          • Opcode ID: d3ae5c6d5326828efa22fb1428ded6ccc69990b3020c1d295b4989ceaafb9ee0
                                                                          • Instruction ID: af1d6d357ba8b8d0ed017ecc4ecd97e0e486ed893806e469a58d0e8606b13f81
                                                                          • Opcode Fuzzy Hash: d3ae5c6d5326828efa22fb1428ded6ccc69990b3020c1d295b4989ceaafb9ee0
                                                                          • Instruction Fuzzy Hash: EA11E2B1D043498FCB10DF99D584BDEFBF8EB48328F248459D659A7200C778A984CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011ED3EC Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.512657863.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_11ed000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d0869fd593c6133e2950169711520665426d8814e9f2715250e3d83b438f554c
                                                                          • Instruction ID: c826ba93ed3a5ca62713221cbe48b691b2ccce2edf8aae8a8a7e7711e474c9e8
                                                                          • Opcode Fuzzy Hash: d0869fd593c6133e2950169711520665426d8814e9f2715250e3d83b438f554c
                                                                          • Instruction Fuzzy Hash: 5E2148B1504644DFDF09DFD4E9C4B66BBA1FB94324F24C568E9090B607C336E446C7A2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011ED3E7 Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.512657863.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_11ed000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0e6dc6bea322ac229bb9891d9adb3e808fc29097d9a63836f4574df099d61674
                                                                          • Instruction ID: 2e9891b81afe90f6f84fac68471c4e900a38f7348ad472fd61f147d640edba45
                                                                          • Opcode Fuzzy Hash: 0e6dc6bea322ac229bb9891d9adb3e808fc29097d9a63836f4574df099d61674
                                                                          • Instruction Fuzzy Hash: 1411E472404684DFCF06CF44D5C4B56BFB1FB94324F28C5A9D8080B616C33AD456CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%