Edit tour

Windows Analysis Report
oAE7nqtsNA.exe

Overview

General Information

Sample Name:	oAE7nqtsNA.exe
Analysis ID:	652383
MD5:	0f20f2a0d366d09d7f9775220f024638
SHA1:	e838dc5484de4f2bc6d43290e8e2e860f32182de
SHA256:	c5d4a26f1de9008689bf4ecf2eebd6c860282f32db70d982f5281c4630fb4cac
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Contains functionality to detect virtual machines (SLDT)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

oAE7nqtsNA.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\oAE7nqtsNA.exe" MD5: 0F20F2A0D366D09D7F9775220F024638)

oAE7nqtsNA.exe (PID: 6516 cmdline: C:\Users\user\Desktop\oAE7nqtsNA.exe MD5: 0F20F2A0D366D09D7F9775220F024638)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "frankjoelog@valete.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "frankjoe@valete.buzz"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17418:$x1: $%SMTPDV$ 0x1742e:$x2: $#TheHashHere%& 0x187c8:$x3: %FTPDV$ 0x18890:$x4: $%TelegramDv$ 0x14d34:$x5: KeyLoggerEventArgs 0x150ca:$x5: KeyLoggerEventArgs 0x18838:$m1: \| Snake Keylogger 0x188f0:$m1: \| Snake Keylogger 0x18a44:$m1: \| Snake Keylogger 0x18b6a:$m1: \| Snake Keylogger 0x18cc4:$m1: \| Snake Keylogger 0x187ec:$m2: Clipboard Logs ID 0x189fa:$m2: Screenshot Logs ID 0x18b0e:$m2: keystroke Logs ID 0x18cfa:$m3: SnakePW 0x189d2:$m4: \SnakeKeylogger\
00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17418:$x1: $%SMTPDV$ 0x1742e:$x2: $#TheHashHere%& 0x187c8:$x3: %FTPDV$ 0x18890:$x4: $%TelegramDv$ 0x14d34:$x5: KeyLoggerEventArgs 0x150ca:$x5: KeyLoggerEventArgs 0x18838:$m1: \| Snake Keylogger 0x188f0:$m1: \| Snake Keylogger 0x18a44:$m1: \| Snake Keylogger 0x18b6a:$m1: \| Snake Keylogger 0x18cc4:$m1: \| Snake Keylogger 0x187ec:$m2: Clipboard Logs ID 0x189fa:$m2: Screenshot Logs ID 0x18b0e:$m2: keystroke Logs ID 0x18cfa:$m3: SnakePW 0x189d2:$m4: \SnakeKeylogger\
00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17418:$x1: $%SMTPDV$ 0x1742e:$x2: $#TheHashHere%& 0x187c8:$x3: %FTPDV$ 0x18890:$x4: $%TelegramDv$ 0x14d34:$x5: KeyLoggerEventArgs 0x150ca:$x5: KeyLoggerEventArgs 0x18838:$m1: \| Snake Keylogger 0x188f0:$m1: \| Snake Keylogger 0x18a44:$m1: \| Snake Keylogger 0x18b6a:$m1: \| Snake Keylogger 0x18cc4:$m1: \| Snake Keylogger 0x187ec:$m2: Clipboard Logs ID 0x189fa:$m2: Screenshot Logs ID 0x18b0e:$m2: keystroke Logs ID 0x18cfa:$m3: SnakePW 0x189d2:$m4: \SnakeKeylogger\
00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17418:$x1: $%SMTPDV$ 0x1742e:$x2: $#TheHashHere%& 0x187c8:$x3: %FTPDV$ 0x18890:$x4: $%TelegramDv$ 0x14d34:$x5: KeyLoggerEventArgs 0x150ca:$x5: KeyLoggerEventArgs 0x18838:$m1: \| Snake Keylogger 0x188f0:$m1: \| Snake Keylogger 0x18a44:$m1: \| Snake Keylogger 0x18b6a:$m1: \| Snake Keylogger 0x18cc4:$m1: \| Snake Keylogger 0x187ec:$m2: Clipboard Logs ID 0x189fa:$m2: Screenshot Logs ID 0x18b0e:$m2: keystroke Logs ID 0x18cfa:$m3: SnakePW 0x189d2:$m4: \SnakeKeylogger\
00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17418:$x1: $%SMTPDV$ 0x1742e:$x2: $#TheHashHere%& 0x187c8:$x3: %FTPDV$ 0x18890:$x4: $%TelegramDv$ 0x14d34:$x5: KeyLoggerEventArgs 0x150ca:$x5: KeyLoggerEventArgs 0x18838:$m1: \| Snake Keylogger 0x188f0:$m1: \| Snake Keylogger 0x18a44:$m1: \| Snake Keylogger 0x18b6a:$m1: \| Snake Keylogger 0x18cc4:$m1: \| Snake Keylogger 0x187ec:$m2: Clipboard Logs ID 0x189fa:$m2: Screenshot Logs ID 0x18b0e:$m2: keystroke Logs ID 0x18cfa:$m3: SnakePW 0x189d2:$m4: \SnakeKeylogger\
00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x39bb8:$x1: $%SMTPDV$ 0x597d8:$x1: $%SMTPDV$ 0x791f8:$x1: $%SMTPDV$ 0x39bce:$x2: $#TheHashHere%& 0x597ee:$x2: $#TheHashHere%& 0x7920e:$x2: $#TheHashHere%& 0x3af68:$x3: %FTPDV$ 0x5ab88:$x3: %FTPDV$ 0x7a5a8:$x3: %FTPDV$ 0x3b030:$x4: $%TelegramDv$ 0x5ac50:$x4: $%TelegramDv$ 0x7a670:$x4: $%TelegramDv$ 0x374d4:$x5: KeyLoggerEventArgs 0x3786a:$x5: KeyLoggerEventArgs 0x570f4:$x5: KeyLoggerEventArgs 0x5748a:$x5: KeyLoggerEventArgs 0x76b14:$x5: KeyLoggerEventArgs 0x76eaa:$x5: KeyLoggerEventArgs 0x3afd8:$m1: \| Snake Keylogger 0x3b090:$m1: \| Snake Keylogger 0x3b1e4:$m1: \| Snake Keylogger
Process Memory Space: oAE7nqtsNA.exe PID: 7108	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: oAE7nqtsNA.exe PID: 7108	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: oAE7nqtsNA.exe PID: 7108	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: oAE7nqtsNA.exe PID: 7108	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1ddc3c:$x5: KeyLoggerEventArgs 0x1ddfd2:$x5: KeyLoggerEventArgs 0x1de908:$x5: KeyLoggerEventArgs 0x1dec69:$x5: KeyLoggerEventArgs 0x1e015e:$m1: \| Snake Keylogger 0x1e01b6:$m1: \| Snake Keylogger 0x1e024a:$m1: \| Snake Keylogger 0x1e02ab:$m1: \| Snake Keylogger 0x1e0320:$m1: \| Snake Keylogger 0x1e0137:$m2: Clipboard Logs ID 0x1e0225:$m2: Screenshot Logs ID 0x1e027d:$m2: keystroke Logs ID 0x1e033b:$m3: SnakePW 0x1e0211:$m4: \SnakeKeylogger\
Process Memory Space: oAE7nqtsNA.exe PID: 6516	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: oAE7nqtsNA.exe PID: 6516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: oAE7nqtsNA.exe PID: 6516	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2052e:$x5: KeyLoggerEventArgs 0x208c4:$x5: KeyLoggerEventArgs 0x211fa:$x5: KeyLoggerEventArgs 0x2155b:$x5: KeyLoggerEventArgs 0x22a50:$m1: \| Snake Keylogger 0x22aa8:$m1: \| Snake Keylogger 0x22b3c:$m1: \| Snake Keylogger 0x22b9d:$m1: \| Snake Keylogger 0x22c12:$m1: \| Snake Keylogger 0x22a29:$m2: Clipboard Logs ID 0x22b17:$m2: Screenshot Logs ID 0x22b6f:$m2: keystroke Logs ID 0x22c2d:$m3: SnakePW 0x22b03:$m4: \SnakeKeylogger\
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b35e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3af7e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5a99e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a547:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a167:$a3: \Google\Chrome\User Data\Default\Login Data 0x59b87:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a98e:$a4: \Orbitum\User Data\Default\Login Data 0x3a5ae:$a4: \Orbitum\User Data\Default\Login Data 0x59fce:$a4: \Orbitum\User Data\Default\Login Data 0x1bb0f:$a5: \Kometa\User Data\Default\Login Data 0x3b72f:$a5: \Kometa\User Data\Default\Login Data 0x5b14f:$a5: \Kometa\User Data\Default\Login Data
0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148bb:$s1: UnHook 0x344db:$s1: UnHook 0x53efb:$s1: UnHook 0x148c2:$s2: SetHook 0x344e2:$s2: SetHook 0x53f02:$s2: SetHook 0x148ca:$s3: CallNextHook 0x344ea:$s3: CallNextHook 0x53f0a:$s3: CallNextHook 0x148d7:$s4: _hook 0x344f7:$s4: _hook 0x53f17:$s4: _hook
0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17618:$x1: $%SMTPDV$ 0x37238:$x1: $%SMTPDV$ 0x56c58:$x1: $%SMTPDV$ 0x1762e:$x2: $#TheHashHere%& 0x3724e:$x2: $#TheHashHere%& 0x56c6e:$x2: $#TheHashHere%& 0x189c8:$x3: %FTPDV$ 0x385e8:$x3: %FTPDV$ 0x58008:$x3: %FTPDV$ 0x18a90:$x4: $%TelegramDv$ 0x386b0:$x4: $%TelegramDv$ 0x580d0:$x4: $%TelegramDv$ 0x14f34:$x5: KeyLoggerEventArgs 0x152ca:$x5: KeyLoggerEventArgs 0x34b54:$x5: KeyLoggerEventArgs 0x34eea:$x5: KeyLoggerEventArgs 0x54574:$x5: KeyLoggerEventArgs 0x5490a:$x5: KeyLoggerEventArgs 0x18a38:$m1: \| Snake Keylogger 0x18af0:$m1: \| Snake Keylogger 0x18c44:$m1: \| Snake Keylogger
5.0.oAE7nqtsNA.exe.400000.12.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b35e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a547:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a98e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb0f:$a5: \Kometa\User Data\Default\Login Data
5.0.oAE7nqtsNA.exe.400000.12.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.0.oAE7nqtsNA.exe.400000.12.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.0.oAE7nqtsNA.exe.400000.12.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.0.oAE7nqtsNA.exe.400000.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.oAE7nqtsNA.exe.400000.12.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148bb:$s1: UnHook 0x148c2:$s2: SetHook 0x148ca:$s3: CallNextHook 0x148d7:$s4: _hook
5.0.oAE7nqtsNA.exe.400000.12.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17618:$x1: $%SMTPDV$ 0x1762e:$x2: $#TheHashHere%& 0x189c8:$x3: %FTPDV$ 0x18a90:$x4: $%TelegramDv$ 0x14f34:$x5: KeyLoggerEventArgs 0x152ca:$x5: KeyLoggerEventArgs 0x18a38:$m1: \| Snake Keylogger 0x18af0:$m1: \| Snake Keylogger 0x18c44:$m1: \| Snake Keylogger 0x18d6a:$m1: \| Snake Keylogger 0x18ec4:$m1: \| Snake Keylogger 0x189ec:$m2: Clipboard Logs ID 0x18bfa:$m2: Screenshot Logs ID 0x18d0e:$m2: keystroke Logs ID 0x18efa:$m3: SnakePW 0x18bd2:$m4: \SnakeKeylogger\
0.2.oAE7nqtsNA.exe.33228fc.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.oAE7nqtsNA.exe.33228fc.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.oAE7nqtsNA.exe.33228fc.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x1802b6:$v1: SbieDll.dll 0x1802d0:$v2: USER 0x1802dc:$v3: SANDBOX 0x1802ee:$v4: VIRUS 0x18033e:$v4: VIRUS 0x1802fc:$v5: MALWARE 0x18030e:$v6: SCHMIDTI 0x180322:$v7: CURRENTUSER
5.0.oAE7nqtsNA.exe.400000.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b35e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a547:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a98e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb0f:$a5: \Kometa\User Data\Default\Login Data
5.0.oAE7nqtsNA.exe.400000.10.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.0.oAE7nqtsNA.exe.400000.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.0.oAE7nqtsNA.exe.400000.10.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.0.oAE7nqtsNA.exe.400000.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.oAE7nqtsNA.exe.400000.10.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148bb:$s1: UnHook 0x148c2:$s2: SetHook 0x148ca:$s3: CallNextHook 0x148d7:$s4: _hook
5.0.oAE7nqtsNA.exe.400000.10.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17618:$x1: $%SMTPDV$ 0x1762e:$x2: $#TheHashHere%& 0x189c8:$x3: %FTPDV$ 0x18a90:$x4: $%TelegramDv$ 0x14f34:$x5: KeyLoggerEventArgs 0x152ca:$x5: KeyLoggerEventArgs 0x18a38:$m1: \| Snake Keylogger 0x18af0:$m1: \| Snake Keylogger 0x18c44:$m1: \| Snake Keylogger 0x18d6a:$m1: \| Snake Keylogger 0x18ec4:$m1: \| Snake Keylogger 0x189ec:$m2: Clipboard Logs ID 0x18bfa:$m2: Screenshot Logs ID 0x18d0e:$m2: keystroke Logs ID 0x18efa:$m3: SnakePW 0x18bd2:$m4: \SnakeKeylogger\
0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3cd7e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5c99e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7c3be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bf67:$a3: \Google\Chrome\User Data\Default\Login Data 0x5bb87:$a3: \Google\Chrome\User Data\Default\Login Data 0x7b5a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c3ae:$a4: \Orbitum\User Data\Default\Login Data 0x5bfce:$a4: \Orbitum\User Data\Default\Login Data 0x7b9ee:$a4: \Orbitum\User Data\Default\Login Data 0x3d52f:$a5: \Kometa\User Data\Default\Login Data 0x5d14f:$a5: \Kometa\User Data\Default\Login Data 0x7cb6f:$a5: \Kometa\User Data\Default\Login Data
0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x362db:$s1: UnHook 0x55efb:$s1: UnHook 0x7591b:$s1: UnHook 0x362e2:$s2: SetHook 0x55f02:$s2: SetHook 0x75922:$s2: SetHook 0x362ea:$s3: CallNextHook 0x55f0a:$s3: CallNextHook 0x7592a:$s3: CallNextHook 0x362f7:$s4: _hook 0x55f17:$s4: _hook 0x75937:$s4: _hook
0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x39038:$x1: $%SMTPDV$ 0x58c58:$x1: $%SMTPDV$ 0x78678:$x1: $%SMTPDV$ 0x3904e:$x2: $#TheHashHere%& 0x58c6e:$x2: $#TheHashHere%& 0x7868e:$x2: $#TheHashHere%& 0x3a3e8:$x3: %FTPDV$ 0x5a008:$x3: %FTPDV$ 0x79a28:$x3: %FTPDV$ 0x3a4b0:$x4: $%TelegramDv$ 0x5a0d0:$x4: $%TelegramDv$ 0x79af0:$x4: $%TelegramDv$ 0x36954:$x5: KeyLoggerEventArgs 0x36cea:$x5: KeyLoggerEventArgs 0x56574:$x5: KeyLoggerEventArgs 0x5690a:$x5: KeyLoggerEventArgs 0x75f94:$x5: KeyLoggerEventArgs 0x7632a:$x5: KeyLoggerEventArgs 0x3a458:$m1: \| Snake Keylogger 0x3a510:$m1: \| Snake Keylogger 0x3a664:$m1: \| Snake Keylogger
0.2.oAE7nqtsNA.exe.4e911c0.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1955e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18747:$a3: \Google\Chrome\User Data\Default\Login Data 0x18b8e:$a4: \Orbitum\User Data\Default\Login Data 0x19d0f:$a5: \Kometa\User Data\Default\Login Data
0.2.oAE7nqtsNA.exe.4e911c0.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.oAE7nqtsNA.exe.4e911c0.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.oAE7nqtsNA.exe.4e911c0.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oAE7nqtsNA.exe.4e911c0.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12abb:$s1: UnHook 0x12ac2:$s2: SetHook 0x12aca:$s3: CallNextHook 0x12ad7:$s4: _hook
0.2.oAE7nqtsNA.exe.4e911c0.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15818:$x1: $%SMTPDV$ 0x1582e:$x2: $#TheHashHere%& 0x16bc8:$x3: %FTPDV$ 0x16c90:$x4: $%TelegramDv$ 0x13134:$x5: KeyLoggerEventArgs 0x134ca:$x5: KeyLoggerEventArgs 0x16c38:$m1: \| Snake Keylogger 0x16cf0:$m1: \| Snake Keylogger 0x16e44:$m1: \| Snake Keylogger 0x16f6a:$m1: \| Snake Keylogger 0x170c4:$m1: \| Snake Keylogger 0x16bec:$m2: Clipboard Logs ID 0x16dfa:$m2: Screenshot Logs ID 0x16f0e:$m2: keystroke Logs ID 0x170fa:$m3: SnakePW 0x16dd2:$m4: \SnakeKeylogger\
0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b35e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ad7e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a547:$a3: \Google\Chrome\User Data\Default\Login Data 0x39f67:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a98e:$a4: \Orbitum\User Data\Default\Login Data 0x3a3ae:$a4: \Orbitum\User Data\Default\Login Data 0x1bb0f:$a5: \Kometa\User Data\Default\Login Data 0x3b52f:$a5: \Kometa\User Data\Default\Login Data
0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148bb:$s1: UnHook 0x342db:$s1: UnHook 0x148c2:$s2: SetHook 0x342e2:$s2: SetHook 0x148ca:$s3: CallNextHook 0x342ea:$s3: CallNextHook 0x148d7:$s4: _hook 0x342f7:$s4: _hook
0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17618:$x1: $%SMTPDV$ 0x37038:$x1: $%SMTPDV$ 0x1762e:$x2: $#TheHashHere%& 0x3704e:$x2: $#TheHashHere%& 0x189c8:$x3: %FTPDV$ 0x383e8:$x3: %FTPDV$ 0x18a90:$x4: $%TelegramDv$ 0x384b0:$x4: $%TelegramDv$ 0x14f34:$x5: KeyLoggerEventArgs 0x152ca:$x5: KeyLoggerEventArgs 0x34954:$x5: KeyLoggerEventArgs 0x34cea:$x5: KeyLoggerEventArgs 0x18a38:$m1: \| Snake Keylogger 0x18af0:$m1: \| Snake Keylogger 0x18c44:$m1: \| Snake Keylogger 0x18d6a:$m1: \| Snake Keylogger 0x18ec4:$m1: \| Snake Keylogger 0x38458:$m1: \| Snake Keylogger 0x38510:$m1: \| Snake Keylogger 0x38664:$m1: \| Snake Keylogger 0x3878a:$m1: \| Snake Keylogger
0.2.oAE7nqtsNA.exe.4e715a0.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1955e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18747:$a3: \Google\Chrome\User Data\Default\Login Data 0x18b8e:$a4: \Orbitum\User Data\Default\Login Data 0x19d0f:$a5: \Kometa\User Data\Default\Login Data
0.2.oAE7nqtsNA.exe.4e715a0.9.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.oAE7nqtsNA.exe.4e715a0.9.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.oAE7nqtsNA.exe.4e715a0.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oAE7nqtsNA.exe.4e715a0.9.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12abb:$s1: UnHook 0x12ac2:$s2: SetHook 0x12aca:$s3: CallNextHook 0x12ad7:$s4: _hook
0.2.oAE7nqtsNA.exe.4e715a0.9.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15818:$x1: $%SMTPDV$ 0x1582e:$x2: $#TheHashHere%& 0x16bc8:$x3: %FTPDV$ 0x16c90:$x4: $%TelegramDv$ 0x13134:$x5: KeyLoggerEventArgs 0x134ca:$x5: KeyLoggerEventArgs 0x16c38:$m1: \| Snake Keylogger 0x16cf0:$m1: \| Snake Keylogger 0x16e44:$m1: \| Snake Keylogger 0x16f6a:$m1: \| Snake Keylogger 0x170c4:$m1: \| Snake Keylogger 0x16bec:$m2: Clipboard Logs ID 0x16dfa:$m2: Screenshot Logs ID 0x16f0e:$m2: keystroke Logs ID 0x170fa:$m3: SnakePW 0x16dd2:$m4: \SnakeKeylogger\
5.0.oAE7nqtsNA.exe.400000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b35e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a547:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a98e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb0f:$a5: \Kometa\User Data\Default\Login Data
5.0.oAE7nqtsNA.exe.400000.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.0.oAE7nqtsNA.exe.400000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.0.oAE7nqtsNA.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.0.oAE7nqtsNA.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.oAE7nqtsNA.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148bb:$s1: UnHook 0x148c2:$s2: SetHook 0x148ca:$s3: CallNextHook 0x148d7:$s4: _hook
5.0.oAE7nqtsNA.exe.400000.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17618:$x1: $%SMTPDV$ 0x1762e:$x2: $#TheHashHere%& 0x189c8:$x3: %FTPDV$ 0x18a90:$x4: $%TelegramDv$ 0x14f34:$x5: KeyLoggerEventArgs 0x152ca:$x5: KeyLoggerEventArgs 0x18a38:$m1: \| Snake Keylogger 0x18af0:$m1: \| Snake Keylogger 0x18c44:$m1: \| Snake Keylogger 0x18d6a:$m1: \| Snake Keylogger 0x18ec4:$m1: \| Snake Keylogger 0x189ec:$m2: Clipboard Logs ID 0x18bfa:$m2: Screenshot Logs ID 0x18d0e:$m2: keystroke Logs ID 0x18efa:$m3: SnakePW 0x18bd2:$m4: \SnakeKeylogger\
5.2.oAE7nqtsNA.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b35e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a547:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a98e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb0f:$a5: \Kometa\User Data\Default\Login Data
5.2.oAE7nqtsNA.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.oAE7nqtsNA.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.oAE7nqtsNA.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.oAE7nqtsNA.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.oAE7nqtsNA.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148bb:$s1: UnHook 0x148c2:$s2: SetHook 0x148ca:$s3: CallNextHook 0x148d7:$s4: _hook
5.2.oAE7nqtsNA.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17618:$x1: $%SMTPDV$ 0x1762e:$x2: $#TheHashHere%& 0x189c8:$x3: %FTPDV$ 0x18a90:$x4: $%TelegramDv$ 0x14f34:$x5: KeyLoggerEventArgs 0x152ca:$x5: KeyLoggerEventArgs 0x18a38:$m1: \| Snake Keylogger 0x18af0:$m1: \| Snake Keylogger 0x18c44:$m1: \| Snake Keylogger 0x18d6a:$m1: \| Snake Keylogger 0x18ec4:$m1: \| Snake Keylogger 0x189ec:$m2: Clipboard Logs ID 0x18bfa:$m2: Screenshot Logs ID 0x18d0e:$m2: keystroke Logs ID 0x18efa:$m3: SnakePW 0x18bd2:$m4: \SnakeKeylogger\
5.0.oAE7nqtsNA.exe.400000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b35e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a547:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a98e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb0f:$a5: \Kometa\User Data\Default\Login Data
5.0.oAE7nqtsNA.exe.400000.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.0.oAE7nqtsNA.exe.400000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.0.oAE7nqtsNA.exe.400000.8.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.0.oAE7nqtsNA.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.oAE7nqtsNA.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148bb:$s1: UnHook 0x148c2:$s2: SetHook 0x148ca:$s3: CallNextHook 0x148d7:$s4: _hook
5.0.oAE7nqtsNA.exe.400000.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17618:$x1: $%SMTPDV$ 0x1762e:$x2: $#TheHashHere%& 0x189c8:$x3: %FTPDV$ 0x18a90:$x4: $%TelegramDv$ 0x14f34:$x5: KeyLoggerEventArgs 0x152ca:$x5: KeyLoggerEventArgs 0x18a38:$m1: \| Snake Keylogger 0x18af0:$m1: \| Snake Keylogger 0x18c44:$m1: \| Snake Keylogger 0x18d6a:$m1: \| Snake Keylogger 0x18ec4:$m1: \| Snake Keylogger 0x189ec:$m2: Clipboard Logs ID 0x18bfa:$m2: Screenshot Logs ID 0x18d0e:$m2: keystroke Logs ID 0x18efa:$m3: SnakePW 0x18bd2:$m4: \SnakeKeylogger\
5.0.oAE7nqtsNA.exe.400000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b35e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a547:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a98e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb0f:$a5: \Kometa\User Data\Default\Login Data
5.0.oAE7nqtsNA.exe.400000.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.0.oAE7nqtsNA.exe.400000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.0.oAE7nqtsNA.exe.400000.6.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.0.oAE7nqtsNA.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.oAE7nqtsNA.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148bb:$s1: UnHook 0x148c2:$s2: SetHook 0x148ca:$s3: CallNextHook 0x148d7:$s4: _hook
5.0.oAE7nqtsNA.exe.400000.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17618:$x1: $%SMTPDV$ 0x1762e:$x2: $#TheHashHere%& 0x189c8:$x3: %FTPDV$ 0x18a90:$x4: $%TelegramDv$ 0x14f34:$x5: KeyLoggerEventArgs 0x152ca:$x5: KeyLoggerEventArgs 0x18a38:$m1: \| Snake Keylogger 0x18af0:$m1: \| Snake Keylogger 0x18c44:$m1: \| Snake Keylogger 0x18d6a:$m1: \| Snake Keylogger 0x18ec4:$m1: \| Snake Keylogger 0x189ec:$m2: Clipboard Logs ID 0x18bfa:$m2: Screenshot Logs ID 0x18d0e:$m2: keystroke Logs ID 0x18efa:$m3: SnakePW 0x18bd2:$m4: \SnakeKeylogger\
Click to see the 73 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: oAE7nqtsNA.exe	Virustotal: Detection: 36%			Perma Link
Source: oAE7nqtsNA.exe	ReversingLabs: Detection: 61%

Antivirus / Scanner detection for submitted sample

Source: oAE7nqtsNA.exe

Avira: detected

Machine Learning detection for sample

Source: oAE7nqtsNA.exe

Joe Sandbox ML: detected

Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 5.2.oAE7nqtsNA.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 5.0.oAE7nqtsNA.exe.400000.12.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 5.0.oAE7nqtsNA.exe.400000.10.unpack	Avira: Label: TR/ATRAPS.Gen

Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "frankjoelog@valete.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "frankjoe@valete.buzz"}

Source: oAE7nqtsNA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: oAE7nqtsNA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 03028687h	5_2_030283C9
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 0302F539h	5_2_0302F280
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 030263D1h	5_2_03026111
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 03027507h	5_2_03027196
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 0302EC8Ah	5_2_0302E758
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 03027967h	5_2_030276A8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 0302F991h	5_2_0302F6D8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 03026B10h	5_2_030266F8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 03025F70h	5_2_03025587
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 03027DC7h	5_2_03027B08
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 0302FDE9h	5_2_0302FB30
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 03028227h	5_2_03027F68
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 0302F0E1h	5_2_0302EE28
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 03026B10h	5_2_030266E8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 03026B10h	5_2_03026A3E
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_03024AA8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B9FAE1h	5_2_05B9F838
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B9F231h	5_2_05B9EF88
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B9F689h	5_2_05B9F3E0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B9EDD9h	5_2_05B9EB30
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B9E529h	5_2_05B9E280
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B9E981h	5_2_05B9E6D8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B97441h	5_2_05B97198
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B97899h	5_2_05B975F0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B94479h	5_2_05B941D0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B93BC9h	5_2_05B93920
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B94021h	5_2_05B93D78
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B96FE9h	5_2_05B96D40
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B96739h	5_2_05B96490
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B96B91h	5_2_05B968E8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B93771h	5_2_05B934C8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B962E1h	5_2_05B96038
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_05B9C020
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_05B9C00F
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B93319h	5_2_05B93070
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B95A31h	5_2_05B95788
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B95E89h	5_2_05B95BE0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B955D9h	5_2_05B95330
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_05B9C336
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B989F9h	5_2_05B98750
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B98149h	5_2_05B97EA0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B94D29h	5_2_05B94A80
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B985A1h	5_2_05B982F8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B95181h	5_2_05B94ED8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B948D1h	5_2_05B94628
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B9E0A9h	5_2_05B9DE00
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 4x nop then jmp 05B97CF1h	5_2_05B97A48

Networking

May check the online IP address of the machine

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	DNS query: name: checkip.dyndns.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.33228fc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 193.122.130.0 193.122.130.0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: oAE7nqtsNA.exe, 00000005.00000002.633758054.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: oAE7nqtsNA.exe, 00000005.00000002.633579868.0000000003221000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000005.00000002.633758054.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: oAE7nqtsNA.exe, 00000005.00000002.633579868.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: oAE7nqtsNA.exe, 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: oAE7nqtsNA.exe, 00000005.00000002.633579868.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org4
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: oAE7nqtsNA.exe, 00000005.00000002.633579868.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: oAE7nqtsNA.exe, 00000000.00000003.373501516.0000000008602000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.373406882.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.373488583.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: oAE7nqtsNA.exe, 00000000.00000003.373501516.0000000008602000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.373488583.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com8
Source: oAE7nqtsNA.exe, 00000000.00000003.373501516.0000000008602000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.373488583.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comCm
Source: oAE7nqtsNA.exe, 00000000.00000003.373501516.0000000008602000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.373488583.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comcom2:
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: oAE7nqtsNA.exe, 00000000.00000003.378280858.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: oAE7nqtsNA.exe, 00000000.00000003.386273147.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers$4
Source: oAE7nqtsNA.exe, 00000000.00000003.377796525.000000000860F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.378710748.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.378710748.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: oAE7nqtsNA.exe, 00000000.00000003.379329452.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379475463.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379413748.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers94
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: oAE7nqtsNA.exe, 00000000.00000003.377820878.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377871680.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: oAE7nqtsNA.exe, 00000000.00000003.379545847.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379660966.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379475463.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379618788.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379413748.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersr
Source: oAE7nqtsNA.exe, 00000000.00000003.414103381.00000000085D0000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000002.422768964.00000000085D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comaA
Source: oAE7nqtsNA.exe, 00000000.00000003.414103381.00000000085D0000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000002.422768964.00000000085D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: oAE7nqtsNA.exe, 00000000.00000003.372589089.00000000085DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: oAE7nqtsNA.exe, 00000000.00000003.382093813.000000000860F000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.382162334.000000000860F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: oAE7nqtsNA.exe, 00000000.00000003.382093813.000000000860F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/j
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: oAE7nqtsNA.exe, 00000000.00000003.386180535.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.386020175.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: oAE7nqtsNA.exe, 00000000.00000003.385023609.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.385142286.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.385086768.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.u5Ifm
Source: oAE7nqtsNA.exe, 00000000.00000003.370199665.00000000085D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: oAE7nqtsNA.exe, 00000000.00000003.375462201.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.375487989.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.375434034.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.375524462.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.375549410.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: oAE7nqtsNA.exe, 00000000.00000003.373562364.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.372804822.00000000085E0000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.372643733.00000000085D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: oAE7nqtsNA.exe, 00000000.00000003.372643733.00000000085D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comn
Source: oAE7nqtsNA.exe, 00000000.00000003.373562364.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comnt
Source: oAE7nqtsNA.exe, 00000000.00000003.373562364.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comu?sg
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: oAE7nqtsNA.exe, 00000000.00000003.377510752.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377635947.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377735120.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377558699.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: oAE7nqtsNA.exe, 00000000.00000003.377510752.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377635947.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377735120.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377558699.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377783630.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deM?
Source: oAE7nqtsNA.exe, 00000000.00000003.380334792.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.380092149.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.380247772.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.380002455.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deQ?og
Source: oAE7nqtsNA.exe, 00000000.00000003.377510752.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377635947.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377735120.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377558699.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377783630.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deet
Source: oAE7nqtsNA.exe, 00000000.00000003.380002455.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deoM?
Source: oAE7nqtsNA.exe, 00000000.00000003.380092149.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.380247772.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.380002455.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.der
Source: oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: oAE7nqtsNA.exe, 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: oAE7nqtsNA.exe	String found in binary or memory: https://picsum.photos/80

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.oAE7nqtsNA.exe.33228fc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: oAE7nqtsNA.exe PID: 7108, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: oAE7nqtsNA.exe PID: 6516, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: oAE7nqtsNA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.oAE7nqtsNA.exe.33228fc.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: oAE7nqtsNA.exe PID: 7108, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: oAE7nqtsNA.exe PID: 6516, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 0_2_09E63188	0_2_09E63188
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 0_2_09E60448	0_2_09E60448
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 0_2_015C0478	0_2_015C0478
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 0_2_015C17A0	0_2_015C17A0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 0_2_015C0468	0_2_015C0468
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 0_2_015C1790	0_2_015C1790
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 0_2_00EA5B9B	0_2_00EA5B9B
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_030283C9	5_2_030283C9
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_0302A3E4	5_2_0302A3E4
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_0302F280	5_2_0302F280
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_03026111	5_2_03026111
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_03027196	5_2_03027196
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_0302E758	5_2_0302E758
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_030276A8	5_2_030276A8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_0302F6D8	5_2_0302F6D8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_03025587	5_2_03025587
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_03027B08	5_2_03027B08
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_0302FB30	5_2_0302FB30
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_03026B88	5_2_03026B88
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_03027F68	5_2_03027F68
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_0302EE28	5_2_0302EE28
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_03027248	5_2_03027248
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_03026B78	5_2_03026B78
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_03024A98	5_2_03024A98
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_03024AA8	5_2_03024AA8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_0302DFD0	5_2_0302DFD0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_0302DFE0	5_2_0302DFE0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9F838	5_2_05B9F838
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9EF88	5_2_05B9EF88
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9F3E0	5_2_05B9F3E0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9EB30	5_2_05B9EB30
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9E280	5_2_05B9E280
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9E6D8	5_2_05B9E6D8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B97198	5_2_05B97198
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B97188	5_2_05B97188
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B975F0	5_2_05B975F0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9DDF0	5_2_05B9DDF0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B975E4	5_2_05B975E4
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B941D0	5_2_05B941D0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B941C0	5_2_05B941C0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B96D36	5_2_05B96D36
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B93920	5_2_05B93920
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B93910	5_2_05B93910
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B93D78	5_2_05B93D78
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B93D68	5_2_05B93D68
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B96D40	5_2_05B96D40
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B934B8	5_2_05B934B8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9D098	5_2_05B9D098
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B96490	5_2_05B96490
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B96482	5_2_05B96482
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B968E8	5_2_05B968E8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B968D8	5_2_05B968D8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B934C8	5_2_05B934C8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B96038	5_2_05B96038
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9F828	5_2_05B9F828
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9602E	5_2_05B9602E
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9C020	5_2_05B9C020
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B90016	5_2_05B90016
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9C00F	5_2_05B9C00F
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B93070	5_2_05B93070
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B93062	5_2_05B93062
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B90040	5_2_05B90040
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B98BA8	5_2_05B98BA8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9C398	5_2_05B9C398
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B95788	5_2_05B95788
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B95BE0	5_2_05B95BE0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B95BD0	5_2_05B95BD0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9F3D0	5_2_05B9F3D0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B95330	5_2_05B95330
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B95321	5_2_05B95321
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9EB20	5_2_05B9EB20
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9EF79	5_2_05B9EF79
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B95778	5_2_05B95778
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9B770	5_2_05B9B770
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B98750	5_2_05B98750
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B98741	5_2_05B98741
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B97EA0	5_2_05B97EA0
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B97E90	5_2_05B97E90
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B94A80	5_2_05B94A80
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B982F8	5_2_05B982F8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B982E8	5_2_05B982E8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B94ED8	5_2_05B94ED8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9B6C9	5_2_05B9B6C9
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B94EC8	5_2_05B94EC8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9E6C8	5_2_05B9E6C8
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B97A3A	5_2_05B97A3A
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B94628	5_2_05B94628
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B94619	5_2_05B94619
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9DE00	5_2_05B9DE00
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B9E271	5_2_05B9E271
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B94A70	5_2_05B94A70
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_05B97A48	5_2_05B97A48
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Code function: 5_2_00ED5B9B	5_2_00ED5B9B

Source: oAE7nqtsNA.exe	Binary or memory string: OriginalFilename vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000000.00000002.423797246.0000000009E90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeVariant.dll" vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeVariant.dll" vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000000.00000002.423808559.0000000009FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenuserAPI.dllD vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000000.00000002.416673609.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloneHelper.dll4 vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000000.00000002.418556938.0000000004B58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenuserAPI.dllD vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000000.00000002.423555614.0000000009E50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCloneHelper.dll4 vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe	Binary or memory string: OriginalFilename vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000005.00000000.410873708.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000005.00000002.633182026.00000000015F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe, 00000005.00000002.632877119.00000000012F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs oAE7nqtsNA.exe
Source: oAE7nqtsNA.exe	Binary or memory string: OriginalFilenameMessage.exe> vs oAE7nqtsNA.exe

Source: oAE7nqtsNA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: oAE7nqtsNA.exe	Virustotal: Detection: 36%
Source: oAE7nqtsNA.exe	ReversingLabs: Detection: 61%

Source: oAE7nqtsNA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\oAE7nqtsNA.exe "C:\Users\user\Desktop\oAE7nqtsNA.exe"
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process created: C:\Users\user\Desktop\oAE7nqtsNA.exe C:\Users\user\Desktop\oAE7nqtsNA.exe
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process created: C:\Users\user\Desktop\oAE7nqtsNA.exe C:\Users\user\Desktop\oAE7nqtsNA.exe	Jump to behavior

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oAE7nqtsNA.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: oAE7nqtsNA.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, uda3budc77O??/u0300??u061d?.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, ??ufffdu2964ufffd/u06dau00ab?ufffdK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, uda3budc77O??/u0300??u061d?.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, ??ufffdu2964ufffd/u06dau00ab?ufffdK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, uda3budc77O??/u0300??u061d?.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, ??ufffdu2964ufffd/u06dau00ab?ufffdK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, uda3budc77O??/u0300??u061d?.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: oAE7nqtsNA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: oAE7nqtsNA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: oAE7nqtsNA.exe

Static PE information: 0xD255CC74 [Tue Oct 28 00:51:00 2081 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.8977969416018095

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.33228fc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oAE7nqtsNA.exe PID: 7108, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: oAE7nqtsNA.exe, 00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: oAE7nqtsNA.exe, 00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe TID: 1352

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Code function: 0_2_09E51515 sldt word ptr [eax]

0_2_09E51515

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: oAE7nqtsNA.exe, 00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: oAE7nqtsNA.exe, 00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: oAE7nqtsNA.exe, 00000005.00000003.433785722.000000000164C000.00000004.00000020.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000005.00000002.633218107.0000000001624000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: oAE7nqtsNA.exe, 00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: oAE7nqtsNA.exe, 00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Code function: 5_2_03025587 LdrInitializeThunk,

5_2_03025587

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, ??ufffdu2964ufffd/u06dau00ab?ufffdK.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, ufffd????/u0032ufffdufffd??.cs	Reference to suspicious API methods: ('?A?&?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, ??ufffdu2964ufffd/u06dau00ab?ufffdK.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, ufffd????/u0032ufffdufffd??.cs	Reference to suspicious API methods: ('?A?&?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, ??ufffdu2964ufffd/u06dau00ab?ufffdK.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, ufffd????/u0032ufffdufffd??.cs	Reference to suspicious API methods: ('?A?&?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, ??ufffdu2964ufffd/u06dau00ab?ufffdK.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, ufffd????/u0032ufffdufffd??.cs	Reference to suspicious API methods: ('?A?&?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, ??ufffdu2964ufffd/u06dau00ab?ufffdK.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, ufffd????/u0032ufffdufffd??.cs	Reference to suspicious API methods: ('?A?&?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, ??ufffdu2964ufffd/u06dau00ab?ufffdK.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, ufffd????/u0032ufffdufffd??.cs	Reference to suspicious API methods: ('?A?&?', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Memory written: C:\Users\user\Desktop\oAE7nqtsNA.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Process created: C:\Users\user\Desktop\oAE7nqtsNA.exe C:\Users\user\Desktop\oAE7nqtsNA.exe

Jump to behavior

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Users\user\Desktop\oAE7nqtsNA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Users\user\Desktop\oAE7nqtsNA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oAE7nqtsNA.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oAE7nqtsNA.exe PID: 6516, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\oAE7nqtsNA.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\oAE7nqtsNA.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oAE7nqtsNA.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oAE7nqtsNA.exe PID: 6516, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e4fb80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e911c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAE7nqtsNA.exe.4e715a0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.oAE7nqtsNA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.oAE7nqtsNA.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oAE7nqtsNA.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oAE7nqtsNA.exe PID: 6516, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
oAE7nqtsNA.exe	37%	Virustotal		Browse
oAE7nqtsNA.exe	62%	ReversingLabs	ByteCode-MSIL.Spyware.SnakeLogger
oAE7nqtsNA.exe	100%	Avira	HEUR/AGEN.1202539
oAE7nqtsNA.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.oAE7nqtsNA.exe.400000.4.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
5.0.oAE7nqtsNA.exe.400000.8.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
5.0.oAE7nqtsNA.exe.e60000.0.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
5.2.oAE7nqtsNA.exe.e60000.1.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
5.0.oAE7nqtsNA.exe.e60000.9.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
5.0.oAE7nqtsNA.exe.400000.6.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
5.0.oAE7nqtsNA.exe.e60000.7.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
5.2.oAE7nqtsNA.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
5.0.oAE7nqtsNA.exe.e60000.3.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
5.0.oAE7nqtsNA.exe.e60000.13.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
5.0.oAE7nqtsNA.exe.e60000.5.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
5.0.oAE7nqtsNA.exe.400000.12.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
5.0.oAE7nqtsNA.exe.400000.10.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
5.0.oAE7nqtsNA.exe.e60000.11.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
5.0.oAE7nqtsNA.exe.e60000.1.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
0.2.oAE7nqtsNA.exe.e30000.0.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
0.0.oAE7nqtsNA.exe.e30000.0.unpack	100%	Avira	HEUR/AGEN.1202539	Download File
5.0.oAE7nqtsNA.exe.e60000.2.unpack	100%	Avira	HEUR/AGEN.1202539	Download File

Domains

Source	Detection	Scanner	Label	Link
checkip.dyndns.com	0%	Virustotal		Browse
checkip.dyndns.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.tiro.comnt	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.carterandcone.comcom2:	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.monotype.u5Ifm	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://checkip.dyndns.org4	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comgrita	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://www.carterandcone.com8	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.carterandcone.comCm	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/j	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.urwpp.deQ?og	0%	Avira URL Cloud	safe
http://www.urwpp.deet	0%	Avira URL Cloud	safe
http://www.fontbureau.comaA	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.tiro.comu?sg	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.urwpp.deoM?	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.urwpp.der	0%	URL Reputation	safe
http://www.urwpp.deM?	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.dyndns.com	193.122.130.0	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.comnt	oAE7nqtsNA.exe, 00000000.00000003.373562364.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	oAE7nqtsNA.exe, 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comcom2:	oAE7nqtsNA.exe, 00000000.00000003.373501516.0000000008602000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.373488583.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	oAE7nqtsNA.exe, 00000000.00000003.373562364.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.372804822.00000000085E0000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.372643733.00000000085D5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	oAE7nqtsNA.exe, 00000000.00000003.378280858.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	oAE7nqtsNA.exe, 00000000.00000003.373501516.0000000008602000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.373406882.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.373488583.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.monotype.u5Ifm	oAE7nqtsNA.exe, 00000000.00000003.385023609.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.385142286.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.385086768.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	oAE7nqtsNA.exe, 00000000.00000003.370199665.00000000085D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org4	oAE7nqtsNA.exe, 00000005.00000002.633579868.0000000003221000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgrita	oAE7nqtsNA.exe, 00000000.00000003.414103381.00000000085D0000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000002.422768964.00000000085D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com8	oAE7nqtsNA.exe, 00000000.00000003.373501516.0000000008602000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.373488583.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	oAE7nqtsNA.exe, 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comCm	oAE7nqtsNA.exe, 00000000.00000003.373501516.0000000008602000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.373488583.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	oAE7nqtsNA.exe, 00000005.00000002.633758054.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	oAE7nqtsNA.exe, 00000000.00000003.377510752.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377635947.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377735120.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377558699.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	oAE7nqtsNA.exe, 00000005.00000002.633579868.0000000003221000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersp	oAE7nqtsNA.exe, 00000000.00000003.377820878.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377871680.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	oAE7nqtsNA.exe, 00000000.00000003.375462201.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.375487989.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.375434034.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.375524462.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.375549410.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersr	oAE7nqtsNA.exe, 00000000.00000003.379545847.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379660966.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379475463.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379618788.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379413748.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/j	oAE7nqtsNA.exe, 00000000.00000003.382093813.000000000860F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	oAE7nqtsNA.exe, 00000000.00000003.382093813.000000000860F000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.382162334.000000000860F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comn	oAE7nqtsNA.exe, 00000000.00000003.372643733.00000000085D5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deQ?og	oAE7nqtsNA.exe, 00000000.00000003.380334792.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.380092149.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.380247772.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.380002455.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deet	oAE7nqtsNA.exe, 00000000.00000003.377510752.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377635947.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377735120.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377558699.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377783630.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comaA	oAE7nqtsNA.exe, 00000000.00000003.414103381.00000000085D0000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000002.422768964.00000000085D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	oAE7nqtsNA.exe, 00000005.00000002.633579868.0000000003221000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000005.00000002.633758054.00000000032C7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	oAE7nqtsNA.exe, 00000000.00000003.372589089.00000000085DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.378710748.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers$4	oAE7nqtsNA.exe, 00000000.00000003.386273147.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.comu?sg	oAE7nqtsNA.exe, 00000000.00000003.373562364.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.	oAE7nqtsNA.exe, 00000000.00000003.386180535.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.386020175.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deoM?	oAE7nqtsNA.exe, 00000000.00000003.380002455.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.der	oAE7nqtsNA.exe, 00000000.00000003.380092149.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.380247772.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.380002455.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deM?	oAE7nqtsNA.exe, 00000000.00000003.377510752.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377635947.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377735120.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377558699.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.377783630.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	oAE7nqtsNA.exe, 00000000.00000002.423042498.0000000009862000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.378710748.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers94	oAE7nqtsNA.exe, 00000000.00000003.379329452.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379475463.00000000085FE000.00000004.00000800.00020000.00000000.sdmp, oAE7nqtsNA.exe, 00000000.00000003.379413748.00000000085FE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://picsum.photos/80	oAE7nqtsNA.exe	false		high
http://www.fontbureau.com/designers/	oAE7nqtsNA.exe, 00000000.00000003.377796525.000000000860F000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	652383
Start date and time: 26/06/202209:31:10	2022-06-26 09:31:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	oAE7nqtsNA.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.2%) Quality average: 50.9% Quality standard deviation: 43.7%
HCA Information:	Successful, ratio: 94% Number of executed functions: 43 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:32:33	API Interceptor	1x Sleep call for process: oAE7nqtsNA.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.122.130.0	0OZQi3b0tM.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	ZzO0LX45zz.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	FNK08uYGy6.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	4vQAHpapFz.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	aercUUUX2C.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	CUSTOMER REQUEST.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Import shipment.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	tka30O3OZN.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	ViAKIk7T7X.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	qzzwd4Mg1N.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	4008765678900--98765.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	F96UcEk8Z9.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	t5nmFGhdVA.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	uc2RxH8hO7.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	gsjRXEqpy51bLEm.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	RFQ_5076414.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	0043302751 22062022 pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
checkip.dyndns.com	0OZQi3b0tM.exe	Get hash	malicious	Browse	193.122.130.0
	ZzO0LX45zz.exe	Get hash	malicious	Browse	193.122.130.0
	FNK08uYGy6.exe	Get hash	malicious	Browse	193.122.130.0
	MV CHINALAND.exe	Get hash	malicious	Browse	158.101.44.242
	Import shipment.exe	Get hash	malicious	Browse	132.226.247.73
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	193.122.130.0
	4vQAHpapFz.exe	Get hash	malicious	Browse	193.122.130.0
	SecuriteInfo.com.IL.Trojan.MSILZilla.16190.26221.exe	Get hash	malicious	Browse	193.122.6.168
	gD5LFrPtfc.exe	Get hash	malicious	Browse	132.226.247.73
	aercUUUX2C.exe	Get hash	malicious	Browse	193.122.130.0
	vSgQo7dqYG.exe	Get hash	malicious	Browse	158.101.44.242
	MV CHINALAND.exe	Get hash	malicious	Browse	132.226.8.169
	22017_TIEM2 - RFQ.exe	Get hash	malicious	Browse	158.101.44.242
	CUSTOMER REQUEST.exe	Get hash	malicious	Browse	193.122.130.0
	Import shipment.exe	Get hash	malicious	Browse	193.122.130.0
	854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exe	Get hash	malicious	Browse	193.122.130.0
	tka30O3OZN.exe	Get hash	malicious	Browse	193.122.130.0
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	132.226.247.73
	Docume001.exe	Get hash	malicious	Browse	132.226.8.169
	ViAKIk7T7X.exe	Get hash	malicious	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ORACLE-BMC-31898US	0OZQi3b0tM.exe	Get hash	malicious	Browse	193.122.130.0
	ZzO0LX45zz.exe	Get hash	malicious	Browse	193.122.130.0
	FNK08uYGy6.exe	Get hash	malicious	Browse	193.122.130.0
	MV CHINALAND.exe	Get hash	malicious	Browse	158.101.44.242
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	193.122.130.0
	4vQAHpapFz.exe	Get hash	malicious	Browse	193.122.130.0
	SecuriteInfo.com.IL.Trojan.MSILZilla.16190.26221.exe	Get hash	malicious	Browse	193.122.6.168
	aercUUUX2C.exe	Get hash	malicious	Browse	193.122.130.0
	vSgQo7dqYG.exe	Get hash	malicious	Browse	158.101.44.242
	22017_TIEM2 - RFQ.exe	Get hash	malicious	Browse	158.101.44.242
	CUSTOMER REQUEST.exe	Get hash	malicious	Browse	193.122.130.0
	Import shipment.exe	Get hash	malicious	Browse	193.122.130.0
	854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exe	Get hash	malicious	Browse	193.122.130.0
	tka30O3OZN.exe	Get hash	malicious	Browse	193.122.130.0
	ViAKIk7T7X.exe	Get hash	malicious	Browse	193.122.130.0
	qzzwd4Mg1N.exe	Get hash	malicious	Browse	193.122.130.0
	4008765678900--98765.exe	Get hash	malicious	Browse	193.122.130.0
	https://wallpaperaccess.com/miami-night	Get hash	malicious	Browse	150.136.25.38
	b8sqHJocuX.exe	Get hash	malicious	Browse	193.122.6.168
	report.exe	Get hash	malicious	Browse	193.122.6.168

Process:	C:\Users\user\Desktop\oAE7nqtsNA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.8910721031299795
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	oAE7nqtsNA.exe
File size:	539136
MD5:	0f20f2a0d366d09d7f9775220f024638
SHA1:	e838dc5484de4f2bc6d43290e8e2e860f32182de
SHA256:	c5d4a26f1de9008689bf4ecf2eebd6c860282f32db70d982f5281c4630fb4cac
SHA512:	dea80ff93a97c82cc8d8e84e1cb3ccc7bec651d1fe30d168c8fb466ec1e15647f11ff14fffeabf269a1b80f1610df28355dbbb5494585455757fd8963d47061e
SSDEEP:	12288:hDK3rT/keuQ94+66h1FNHXOEo0ItTvbs8FK05gY/:hDKbnhh1FFOEetPs8
TLSH:	04B4D09D322472EFC857D076DEA82C78AB60347B531B8213941325EE9A5DA97CF214F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.U...............0..2...........Q... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x48511e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD255CC74 [Tue Oct 28 00:51:00 2081 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x850cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x86000	0x398	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x83124	0x83200	False	0.920081997735939	data	7.8977969416018095	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x86000	0x398	0x400	False	0.37890625	data	2.9056920095509953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x86058	0x33c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2022 09:32:49.748342991 CEST	49769	80	192.168.2.6	193.122.130.0
Jun 26, 2022 09:32:49.860111952 CEST	80	49769	193.122.130.0	192.168.2.6
Jun 26, 2022 09:32:49.861855030 CEST	49769	80	192.168.2.6	193.122.130.0
Jun 26, 2022 09:32:49.865596056 CEST	49769	80	192.168.2.6	193.122.130.0
Jun 26, 2022 09:32:49.977227926 CEST	80	49769	193.122.130.0	192.168.2.6
Jun 26, 2022 09:32:49.977797985 CEST	80	49769	193.122.130.0	192.168.2.6
Jun 26, 2022 09:32:50.085800886 CEST	49769	80	192.168.2.6	193.122.130.0
Jun 26, 2022 09:33:54.977902889 CEST	80	49769	193.122.130.0	192.168.2.6
Jun 26, 2022 09:33:54.981185913 CEST	49769	80	192.168.2.6	193.122.130.0
Jun 26, 2022 09:34:30.021599054 CEST	49769	80	192.168.2.6	193.122.130.0
Jun 26, 2022 09:34:30.133021116 CEST	80	49769	193.122.130.0	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2022 09:32:49.640799046 CEST	51748	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:32:49.662122011 CEST	53	51748	8.8.8.8	192.168.2.6
Jun 26, 2022 09:32:49.690249920 CEST	61116	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:32:49.711349010 CEST	53	61116	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 26, 2022 09:32:49.640799046 CEST	192.168.2.6	8.8.8.8	0x372b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:49.690249920 CEST	192.168.2.6	8.8.8.8	0x7319	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 26, 2022 09:32:49.662122011 CEST	8.8.8.8	192.168.2.6	0x372b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Jun 26, 2022 09:32:49.662122011 CEST	8.8.8.8	192.168.2.6	0x372b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:49.662122011 CEST	8.8.8.8	192.168.2.6	0x372b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:49.662122011 CEST	8.8.8.8	192.168.2.6	0x372b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:49.662122011 CEST	8.8.8.8	192.168.2.6	0x372b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:49.662122011 CEST	8.8.8.8	192.168.2.6	0x372b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:49.711349010 CEST	8.8.8.8	192.168.2.6	0x7319	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Jun 26, 2022 09:32:49.711349010 CEST	8.8.8.8	192.168.2.6	0x7319	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:49.711349010 CEST	8.8.8.8	192.168.2.6	0x7319	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:49.711349010 CEST	8.8.8.8	192.168.2.6	0x7319	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:49.711349010 CEST	8.8.8.8	192.168.2.6	0x7319	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:49.711349010 CEST	8.8.8.8	192.168.2.6	0x7319	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49769	193.122.130.0	80	C:\Users\user\Desktop\oAE7nqtsNA.exe

Timestamp	kBytes transferred	Direction	Data
Jun 26, 2022 09:32:49.865596056 CEST	1086	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 26, 2022 09:32:49.977797985 CEST	1086	IN	HTTP/1.1 200 OK Date: Sun, 26 Jun 2022 07:32:49 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 36 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.143.61</body></html>

Target ID:	0
Start time:	09:32:19
Start date:	26/06/2022
Path:	C:\Users\user\Desktop\oAE7nqtsNA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oAE7nqtsNA.exe"
Imagebase:	0xe30000
File size:	539136 bytes
MD5 hash:	0F20F2A0D366D09D7F9775220F024638
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.417015473.000000000331A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.419701815.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	09:32:40
Start date:	26/06/2022
Path:	C:\Users\user\Desktop\oAE7nqtsNA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\oAE7nqtsNA.exe
Imagebase:	0xe60000
File size:	539136 bytes
MD5 hash:	0F20F2A0D366D09D7F9775220F024638
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000000.410485061.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.632442217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000000.411281858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000000.410840955.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000000.411712452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	83
Total number of Limit Nodes:	3

Executed Functions

Function 015C17A0 Relevance: .5, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a075b27652e507f021d74579fb69103df5fff661b2c207cb7b7ae555c2cecb
Instruction ID: aba16c246c5526848a5d8c965bfcc0276ce4543eeca886b9f62fcd1f528256a4
Opcode Fuzzy Hash: a1a075b27652e507f021d74579fb69103df5fff661b2c207cb7b7ae555c2cecb
Instruction Fuzzy Hash: 9E428074E01219CFDB24CFA9D984B9DBBF2BF48310F1581A9E819AB355D730AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015C0478 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1884e2819601062ae0c5d9023319daf5c005dbc84448d6f85755667b40adc7c
Instruction ID: 1f1f1cc84fcbe352177e4f5462d1801480e3f48bf2788cea238cef45ef522bb5
Opcode Fuzzy Hash: f1884e2819601062ae0c5d9023319daf5c005dbc84448d6f85755667b40adc7c
Instruction Fuzzy Hash: 2332F174A04219CFDB50CFA9CA80A8EFBF2BF49655F15C199D548AB261CB30DD81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09E60448 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.423577568.0000000009E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E50000, based on PE: true

Associated: 00000000.00000002.423555614.0000000009E50000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e50000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1eaab567d74dfbe6c892c8c36eaa092e7d6302607b4f08a4f731a50f27293f
Instruction ID: 6bad1504ea0295ab11ff1cf56f48ae844f5ba91a51bff559a3393d111f439def
Opcode Fuzzy Hash: 8a1eaab567d74dfbe6c892c8c36eaa092e7d6302607b4f08a4f731a50f27293f
Instruction Fuzzy Hash: E8B11731B402159FDB64DFB1C85A7BE76A2ABC4792F158139E9079B390CBB4DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 09E63188 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.423577568.0000000009E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E50000, based on PE: true

Associated: 00000000.00000002.423555614.0000000009E50000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e50000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d50eea6413d62c4c049b4319bf32d0e26696ba8d109fc16e33aaa6cf928cb0
Instruction ID: 655fa5f544e1c6213570e9b5d12519a7ea89a178d35301976426060999f60757
Opcode Fuzzy Hash: 74d50eea6413d62c4c049b4319bf32d0e26696ba8d109fc16e33aaa6cf928cb0
Instruction Fuzzy Hash: 6A51F530B89241CFD7148FA988066A9BBB1BF8A3D5F15B06BE516CF2A5C734CC45C792

Uniqueness

Uniqueness Score: -1.00%

Function 015C1790 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73366631bdc45d360d501e6c09b3855aeae0e5c216a6dc6270abb9a0ef3a5dab
Instruction ID: 85a0e2fed5cf3aa5ac32f08c1fc3a6b27425031343c227ca58b239a6c10d1e9f
Opcode Fuzzy Hash: 73366631bdc45d360d501e6c09b3855aeae0e5c216a6dc6270abb9a0ef3a5dab
Instruction Fuzzy Hash: FD61C274E01618CFDB28CFAAD984B9DBBF2BF88300F1581AAD819AB355D7349945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015C0468 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69b8befcaef68113c713f7a37757c700e331b3c579ead542266a29f402a0605
Instruction ID: 1b97147cc26f9e7019a3b52fc8f6cbf44725243168e16ef225ce285d96c1e320
Opcode Fuzzy Hash: e69b8befcaef68113c713f7a37757c700e331b3c579ead542266a29f402a0605
Instruction Fuzzy Hash: 13510975E00619CFDB58CFAAD841B9EBBB2BFC9204F00C0AAD51CAB254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 015CBF80 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015CC1D6

Strings

;, xrefs: 015CC18F

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID: HandleModule
String ID: ;
API String ID: 4139908857-1661535913
Opcode ID: b75cdd520ff49b5f6b34270cca4a6f6f2bdb3f1e369f2f5c3cde5b0798f627e6
Instruction ID: bb3b98bcf0409202ebca8dc73f59779b406c1cd5f7150dedcbc61275146bd3c3
Opcode Fuzzy Hash: b75cdd520ff49b5f6b34270cca4a6f6f2bdb3f1e369f2f5c3cde5b0798f627e6
Instruction Fuzzy Hash: B88154B0A00B068FD724CF6AD44579ABBF1BF89614F008A2ED58ADBA50D775E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015CE4AB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015CE476,?,?,?,?,?), ref: 015CE537

Strings

;, xrefs: 015CE4CF

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID: DuplicateHandle
String ID: ;
API String ID: 3793708945-1661535913
Opcode ID: 60fd57a83d03a226b8dc1676876073b5a3966b9f4ce17b619ec1664d298c10da
Instruction ID: 66b8fb0481e2504307558a6e9f610cb42269194b4a675c834a782929e7701e61
Opcode Fuzzy Hash: 60fd57a83d03a226b8dc1676876073b5a3966b9f4ce17b619ec1664d298c10da
Instruction Fuzzy Hash: FD21E6B59002089FDB10CFA9E585ADEBFF4FB48324F14841AE914A7750D374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015CD69C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015CE476,?,?,?,?,?), ref: 015CE537

Strings

;, xrefs: 015CE4CF

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID: DuplicateHandle
String ID: ;
API String ID: 3793708945-1661535913
Opcode ID: 90cc4932fb50f8d8eab6ba5d8d6eeccda71b3d6791ca17561b9be4068ecdb041
Instruction ID: cf405b5f4d2a80939fc6e11cacc9f3841a9bfc5e18a2d50e79333feb6929ef30
Opcode Fuzzy Hash: 90cc4932fb50f8d8eab6ba5d8d6eeccda71b3d6791ca17561b9be4068ecdb041
Instruction Fuzzy Hash: 3321E3B5900208EFDB10CFA9D985AEEBFF4FB48324F14841AE914A7350D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015CC3F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015CC251,00000800,00000000,00000000), ref: 015CC462

Strings

;, xrefs: 015CC417

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID: LibraryLoad
String ID: ;
API String ID: 1029625771-1661535913
Opcode ID: d232ef3683c639efd17c02e196aec6565e98bd74f7096b7f7990fb423cfb6086
Instruction ID: cca0ae47ed7196fa0c3a86f9659a26ffe28212ff50adf613a8246cab85c08475
Opcode Fuzzy Hash: d232ef3683c639efd17c02e196aec6565e98bd74f7096b7f7990fb423cfb6086
Instruction Fuzzy Hash: D22147B29002098FDB10CFA9C484BDEFBF4FB49724F14851ED519A7640C3749545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015CBA20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015CC251,00000800,00000000,00000000), ref: 015CC462

Strings

;, xrefs: 015CC417

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID: LibraryLoad
String ID: ;
API String ID: 1029625771-1661535913
Opcode ID: ec3cc3ddbd29d11e1bd18df7d07d251238290aec1c716e9696b11cf2336d5486
Instruction ID: 6f0be0a3c9363b3c8fd257abab6d661307ea4adc24a652625ad4e9d5c20a6aca
Opcode Fuzzy Hash: ec3cc3ddbd29d11e1bd18df7d07d251238290aec1c716e9696b11cf2336d5486
Instruction Fuzzy Hash: AB1106B69002099FDB10CF9AD484BEEFBF4EB98724F14842ED519A7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015CAA97 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 015CAAFD

Strings

;, xrefs: 015CAAAF

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: ;
API String ID: 2492992576-1661535913
Opcode ID: e97d76ecfd9fe8a9c7e998f423f8a02021ce82f7ba0ae74a465ee33391d9de5f
Instruction ID: 4ee95448a7bd601b536fa123551ae0af547917b3f98e5944ea93a40037b1715d
Opcode Fuzzy Hash: e97d76ecfd9fe8a9c7e998f423f8a02021ce82f7ba0ae74a465ee33391d9de5f
Instruction Fuzzy Hash: FD11D0B18003998EDB10DF99E5087DEBFF4EB56314F10845AD454A7641DB785644CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 015CAA98 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 015CAAFD

Strings

;, xrefs: 015CAAAF

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: ;
API String ID: 2492992576-1661535913
Opcode ID: e0ed90ae76f4af591ffb8d5633cfd88ad63de31e5697e8562ffacfc4d5d0aef9
Instruction ID: 10938851fc4a79b718d4122ba46c24d257dee1f5e3cfba545fd7912568282030
Opcode Fuzzy Hash: e0ed90ae76f4af591ffb8d5633cfd88ad63de31e5697e8562ffacfc4d5d0aef9
Instruction Fuzzy Hash: 2811DDB18003998EDB10DF99E5087DEBFF4EB56324F10846AD454A7281DB789A48CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 015CC170 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015CC1D6

Strings

;, xrefs: 015CC18F

Memory Dump Source

Source File: 00000000.00000002.416184850.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_oAE7nqtsNA.jbxd

Similarity

API ID: HandleModule
String ID: ;
API String ID: 4139908857-1661535913
Opcode ID: 4a88833a8321e1f6a5880c52ed53098e95cdc64ea3219a9d1bca5073295464e9
Instruction ID: f064481c9ea6155dd3a31133af56b90b08280dc7082726032bb5ef057cccaf48
Opcode Fuzzy Hash: 4a88833a8321e1f6a5880c52ed53098e95cdc64ea3219a9d1bca5073295464e9
Instruction Fuzzy Hash: 5311E0B6D006498FDB10CF9AD844BDEFBF4EB89724F14841AD929B7600C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 09E51515 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.423555614.0000000009E50000.00000004.08000000.00040000.00000000.sdmp, Offset: 09E50000, based on PE: true

Associated: 00000000.00000002.423577568.0000000009E60000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e50000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f18ab462e1d62c6bbd7d19377aa31a505d409f6ee43ca06bfc22e0843ca504
Instruction ID: aceedbc0df6b9e0ff7cb25a2f720c2f39c6b9dad5e8a36b0287756d8f78dd787
Opcode Fuzzy Hash: e3f18ab462e1d62c6bbd7d19377aa31a505d409f6ee43ca06bfc22e0843ca504
Instruction Fuzzy Hash: 0151256244E7D14FC7138B789CB16D07FB0AE13224B1E45CBC4C1CF0A3E269995ADB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: oAE7nqtsNA.exePID: 6516, Parent PID: 7108COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	51.8%
Total number of Nodes:	56
Total number of Limit Nodes:	2

Executed Functions

Function 03025587 Relevance: 2.1, APIs: 1, Instructions: 636
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03025635

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f31ab7687d756c1de6cf621196ea59801bb15fb20eb1f6ef54d872b6dd26f6c2
Instruction ID: e8ff72c69cb10a9b7c9fe9b2eafa3c2d5856073864c2d633703afca17d344e79
Opcode Fuzzy Hash: f31ab7687d756c1de6cf621196ea59801bb15fb20eb1f6ef54d872b6dd26f6c2
Instruction Fuzzy Hash: C862CC74E052298FDB64CF69C984BDDFBB2AB4A304F1481EAD409A7351EB349E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 030283C9 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 0302855B

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a42eadc1321b27d24601b1d857967b71ee415063a6bc546068f07f44b2cfc9ff
Instruction ID: f228177386e35d04a2541cbd82e8554144db681a47478f35222aca81f7d30b81
Opcode Fuzzy Hash: a42eadc1321b27d24601b1d857967b71ee415063a6bc546068f07f44b2cfc9ff
Instruction Fuzzy Hash: A1C1B074E01218CFDB64DFA5D944B9DBBB2FB89304F2080A9D809AB754DB35AE85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 03026111 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 030261EC

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3d56ff0f101bb06f7b6ab3cc5e9d5c8f299890000d74f34466e25b88eb0ae643
Instruction ID: 1ce3ce8a1a550932816ea84de0b539a9f8af76776f52477b5f4662376d0ab8d9
Opcode Fuzzy Hash: 3d56ff0f101bb06f7b6ab3cc5e9d5c8f299890000d74f34466e25b88eb0ae643
Instruction Fuzzy Hash: FCD1A074E01218CFDB24DFA5D944B9DBBB2FB89304F2081A9D809A7354DB39AE85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B9EF88 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9F053

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 33857b1a7534d867078d1a482a4b86ff91e9c2396ceba40342e02b33bfff2c4b
Instruction ID: 63080c36a542c68ce0006f4ce0d0b98d984956a2d3eab120d3c709d3adf4829e
Opcode Fuzzy Hash: 33857b1a7534d867078d1a482a4b86ff91e9c2396ceba40342e02b33bfff2c4b
Instruction Fuzzy Hash: AFC1A274E00218CFDB24DFA5D944BADBBB2FB89304F2081A9D809AB354DB356D85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05B9F3E0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9F4AB

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1e5b2a9917b84e36e8c03bbacaf7e0ac3439f0d97dbc25aaaac11364b6098c46
Instruction ID: c75f0d126245dc99d9074cf1275cc6e718f2d7819cbff185e53ec1a6dc8b4102
Opcode Fuzzy Hash: 1e5b2a9917b84e36e8c03bbacaf7e0ac3439f0d97dbc25aaaac11364b6098c46
Instruction Fuzzy Hash: 89C1B174E01218CFDB24DFA5D944BADBBB2FB89314F2081A9D409AB354DB356E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05B9EB30 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9EBFB

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 221030c71b52869c90be44d85ad38d1156c6247a1a0f4afcf8c939d7d75d827c
Instruction ID: 45974c5a00da6d750167b139de827d073132a2e1ede492fe11f9ea7c500f94fe
Opcode Fuzzy Hash: 221030c71b52869c90be44d85ad38d1156c6247a1a0f4afcf8c939d7d75d827c
Instruction Fuzzy Hash: B9C1A174E01218CFDB24DFA5D944B9DBBB2FB89304F2081A9D809AB354DB35AE85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B9E280 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9E34B

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fcbbe7616b08de958de4bc41d92a180f5aa64a19b2425d210f4efd040c5312c8
Instruction ID: f127dd70a29f578c05f2f71f9c953a564a53b587821633778e2a0c177a955da7
Opcode Fuzzy Hash: fcbbe7616b08de958de4bc41d92a180f5aa64a19b2425d210f4efd040c5312c8
Instruction Fuzzy Hash: E7C19174E01218CFDB24DFA5D944B9DBBB2FB89304F2081A9D809AB354DB35AE85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B9E6D8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9E7A3

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4d2972a79d8b08088f8baf0cb5ac40430b26852851eb18168be51d768ec38b10
Instruction ID: 944b5ae8328298b2d29a3e75edb6ab3deba5d124a18047d7fed565baacde5aaa
Opcode Fuzzy Hash: 4d2972a79d8b08088f8baf0cb5ac40430b26852851eb18168be51d768ec38b10
Instruction Fuzzy Hash: 92C1A174E01218CFDB24DFA5D944B9DBBB2FB89304F2081A9D809AB354DB35AE85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B9F838 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9F903

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 98e8e5b9b57c4fc8d5086b86111457cab41a20de01d1fffe056d6d84b2172b9b
Instruction ID: aaab5eba451473bd4ed26bb99d17e4ecc32421d53b4c56678272ba16bec4cfb1
Opcode Fuzzy Hash: 98e8e5b9b57c4fc8d5086b86111457cab41a20de01d1fffe056d6d84b2172b9b
Instruction Fuzzy Hash: 9DC1C274E00218CFDB24DFA5D944BADBBB2FB89314F2081A9D809AB354DB356E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05B9F828 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9F903

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d2bbe6824c862a36d0c862f6c13d08393fa45afad722d57f1f5115d6ff6258b9
Instruction ID: c807c6c71714e7057780f5425facd907718fc3c3c91f04c9225e8c31bd3ceadb
Opcode Fuzzy Hash: d2bbe6824c862a36d0c862f6c13d08393fa45afad722d57f1f5115d6ff6258b9
Instruction Fuzzy Hash: 30410370E05209CBDF18CFAAD9446EEBBB2BF89310F20C17AC415AB258DB355946CF44

Uniqueness

Uniqueness Score: -1.00%

Function 05B9E6C8 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9E7A3

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5b80eb30b654ad1af700bdebb67b1505c9b68cf7bb686adf9ec9a898c4e7ee64
Instruction ID: 6d646fa6ba94cce74ffb4fdc7aa0a8221c6b0f4cb2c8dc947e081b66e24a3c9e
Opcode Fuzzy Hash: 5b80eb30b654ad1af700bdebb67b1505c9b68cf7bb686adf9ec9a898c4e7ee64
Instruction Fuzzy Hash: F641E270E012488BDF18CFAAD9446EDBBB2BF89304F20C179C415AB254DB359946CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05B9EF79 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9F053

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b21d7520015ead76e2c6dd7a55b1dbdd1fce03860a1f120ead58750d8afbf5ed
Instruction ID: e01a20403f42b650d244362a2d4013466a76c36956048b7509df9c9d9079d114
Opcode Fuzzy Hash: b21d7520015ead76e2c6dd7a55b1dbdd1fce03860a1f120ead58750d8afbf5ed
Instruction Fuzzy Hash: 2D41F174E052088BEF18CFAAD5446ADBBB2BF89304F24C17AC415AB254EB345946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05B9F3D0 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9F4AB

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7d0b8f486340029386f48e51a35a2a147b930f1035f1fe75f8a1e42a5deb3706
Instruction ID: 6ec9f81f3a00bbf6c8855185d18c523e31609d2acbf83e5a7004225d492bbfe2
Opcode Fuzzy Hash: 7d0b8f486340029386f48e51a35a2a147b930f1035f1fe75f8a1e42a5deb3706
Instruction Fuzzy Hash: A641C174E01208CBDF18CFAAD5546EEBBB2BF89300F24D17AC419AB254DB355946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05B9E271 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9E34B

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2acf72c088487b7ae0a128dae1a5ae8b194639f9893076a270a27d187da50607
Instruction ID: aefcd62901c0cede8c2af869c306b9ed101dc7d582d72610359daf407414686c
Opcode Fuzzy Hash: 2acf72c088487b7ae0a128dae1a5ae8b194639f9893076a270a27d187da50607
Instruction Fuzzy Hash: 2641D070E052488BDF18CFAAD9446AEBBB2AB89304F24C17AC419BB254DB359946CF44

Uniqueness

Uniqueness Score: -1.00%

Function 05B9EB20 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B9EBFB

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8ae7dcdf0a9352c608e17ddab3b084c2291fb4ab2e7f89c8ad3d0751e7f382f4
Instruction ID: fb1454b2df0c50493cb4057db5436959ba589e7e46afa0075301a268743a22f0
Opcode Fuzzy Hash: 8ae7dcdf0a9352c608e17ddab3b084c2291fb4ab2e7f89c8ad3d0751e7f382f4
Instruction Fuzzy Hash: 9C41E070E016088BEF18CFBAD5546EEBBB2BF89300F24D17AC419AB254DB359946CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0302E758 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc617373d6a097e259d8a7f12fcc81c27609eee661d2588ceaab68e5475ad56
Instruction ID: d588bf1e8e952b86e5e2f7c5403172727f0d2707c50b5ebb728de5cb56a7d75f
Opcode Fuzzy Hash: 0dc617373d6a097e259d8a7f12fcc81c27609eee661d2588ceaab68e5475ad56
Instruction Fuzzy Hash: 83124974E01228CFDB14DFA9C9547ADBBB2EF89304F2480A9C809AB351DB359D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03027196 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d596c5422eba24463c1af416bf6da80fe56cba2f814329cd2a3ff80d137cd8
Instruction ID: 4510821e14478e2c6379aede1fdb56d01c7e72db93cf4eb475f3855a6e2aa2cd
Opcode Fuzzy Hash: 31d596c5422eba24463c1af416bf6da80fe56cba2f814329cd2a3ff80d137cd8
Instruction Fuzzy Hash: CAE10574E01218CFDB14DFA5D944B9DBBB2FF89304F2480A9D409AB355DB35AA85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0302FB30 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcd0cfb23695a7e349409eb3b7da0406f09810f3bb31f6f806b81ffa2344207
Instruction ID: 59371d2574d1f1456961436c394e7dc958be2bebf84bb9124fa4e4ebc6374f57
Opcode Fuzzy Hash: 1dcd0cfb23695a7e349409eb3b7da0406f09810f3bb31f6f806b81ffa2344207
Instruction Fuzzy Hash: 41C1CF74E01218CFDB24DFA5D954BADBBB2EF89304F2080A9D809AB354DB359E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0302F280 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc72f5bb0cbfc551546f5aac8e6b13843d7e94f9b16e3c92051d0248ae9a4995
Instruction ID: 2d282c8ea735d4eaf70c1a3058be91a390341c668eaeffaf5c3fe2fae397f4a3
Opcode Fuzzy Hash: dc72f5bb0cbfc551546f5aac8e6b13843d7e94f9b16e3c92051d0248ae9a4995
Instruction Fuzzy Hash: BFD1C174E01228CFDB24DFA5D944BADBBB2FB89304F2480A9D809AB354DB355E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0302F6D8 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d9aff8147a6951fba8a6fcfb107b20115e96c2c96b520e0ba1075dc52829b9
Instruction ID: 1a16919c8da484164f5a09f09fd40678741c404bbaee899aeb90ae0348212164
Opcode Fuzzy Hash: f7d9aff8147a6951fba8a6fcfb107b20115e96c2c96b520e0ba1075dc52829b9
Instruction Fuzzy Hash: 8FC1AE74E01218CFDB24DFA5D954BADBBB2EF89304F2081A9D809AB354DB356E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 03027B08 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ae82e665f993fe4dcb35b4df225f16ed788ce283ee634cce738f6c5a54bc98
Instruction ID: 5c7a5878802b35c91baae9a17fb10ccb2140677750ea0baa43ef50f99d5c698e
Opcode Fuzzy Hash: d7ae82e665f993fe4dcb35b4df225f16ed788ce283ee634cce738f6c5a54bc98
Instruction Fuzzy Hash: 6FD1CF74E01218CFDB64DFA5D944B9DBBB2FB89304F2080A9D809AB755DB35AE85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 03027F68 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa67770d0609eb6ad4219511ff762832ced304d31fa49cbb00e15749215e292
Instruction ID: 97a49d13d0df713a43bce260c246b051acc1b998716e52396262d93d05783f4f
Opcode Fuzzy Hash: afa67770d0609eb6ad4219511ff762832ced304d31fa49cbb00e15749215e292
Instruction Fuzzy Hash: 23D1C074E01218CFDB24DFA5D944B9DBBB2FB89304F2480A9D809AB354DB35AE85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0302EE28 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68efcd6426bcd1378b4d7daae1be5f9a7e0212a6e8a58c94c878944a55df95db
Instruction ID: b14cc9792a19b0949599399e32d7222a582203fe808b9b2f227ad470209b313f
Opcode Fuzzy Hash: 68efcd6426bcd1378b4d7daae1be5f9a7e0212a6e8a58c94c878944a55df95db
Instruction Fuzzy Hash: 96C1BF74E01218CFDB24DFA5D984BADBBB2EB89304F2481A9D809AB354DB355E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 030276A8 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05e92cf5aaedf2fa074e023bcd930e2f45fdb7efc7f0bc471dc2846b3f18133
Instruction ID: 797101ad8e81b564e2262c851be90926331a46f55bab7bad19c870e7c47f868d
Opcode Fuzzy Hash: e05e92cf5aaedf2fa074e023bcd930e2f45fdb7efc7f0bc471dc2846b3f18133
Instruction Fuzzy Hash: E3C1BE74E01218CFDB24DFA5D944B9DBBB2FB89304F2081A9D809AB355DB35AE85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 030266E8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c529352f71ec400a9fd83e3f92d7f00c5b93ec93240084657a76e63b753bf3
Instruction ID: 08e6cd7d1b2cc4c9902fcd5bc2eca34bce253aa3b154ba5e2ca7fcc05e60fee0
Opcode Fuzzy Hash: 79c529352f71ec400a9fd83e3f92d7f00c5b93ec93240084657a76e63b753bf3
Instruction Fuzzy Hash: E8A11270A01218CFEB10DFA9C588BDDBBB1FF89304F248269E509AB291DB759984CF55

Uniqueness

Uniqueness Score: -1.00%

Function 030266F8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84476966f0e8080f5753e08562038fd94c565514dff942f51ff1350f1e6e82a
Instruction ID: 1e12ee7e43214d004031b25711f603db2026049d4904f402834fae4c15c091fe
Opcode Fuzzy Hash: a84476966f0e8080f5753e08562038fd94c565514dff942f51ff1350f1e6e82a
Instruction Fuzzy Hash: 54A12370E01218CFEB10DFA9C948BDDBBB1FF89304F248269D509AB291DB759984CF55

Uniqueness

Uniqueness Score: -1.00%

Function 03026A3E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75f9e948cdb0eab96bd4ed12d11e15523ed571eb3f1db3016d81f479a660a95
Instruction ID: 23466040b7add0c96f9fa1959a0c74a83bb337b0dcd2e45ab8ef5f0b12fa08e7
Opcode Fuzzy Hash: c75f9e948cdb0eab96bd4ed12d11e15523ed571eb3f1db3016d81f479a660a95
Instruction Fuzzy Hash: 48911470E01218CFEB10DFA8C588BDDBBB1FF49314F2482A9E409AB291DB759985CF15

Uniqueness

Uniqueness Score: -1.00%

Function 03023450 Relevance: 1.7, APIs: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 03023506

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b18d6c62904bfe55a7a76aadb51aec62eb01178e47367e603181595ba70bfff8
Instruction ID: 2591d6e2ffc54107e9bcd84a0424f60acebdd3938f0e1086036fb570618f6383
Opcode Fuzzy Hash: b18d6c62904bfe55a7a76aadb51aec62eb01178e47367e603181595ba70bfff8
Instruction Fuzzy Hash: 8D917031666243CFC304BB24A2AC4BABF75FF9B753741AC55E01A9981DAB7D148ACF10

Uniqueness

Uniqueness Score: -1.00%

Function 03023460 Relevance: 1.7, APIs: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 03023506

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dc606f7518012236e6469b2e565d9ea4680694a281066e9784935e8f4efe8a63
Instruction ID: 6926e996312fbdc14f4bf13e881b12368d16111b6e58fa747c1e6b1b87d1a291
Opcode Fuzzy Hash: dc606f7518012236e6469b2e565d9ea4680694a281066e9784935e8f4efe8a63
Instruction Fuzzy Hash: 1C51EF30676342DFC2107B60E6AC93EBFB5FB4F353B82AC10A51E958099B78504ADF60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03024AA8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.633472090.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3020000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7eb657dd93a487a1b408308a5cee1605f67fec33ea92fcc769cf0e1f22a9284
Instruction ID: a2878ac0a006bd6db7bda24499fb7576a196c610073b57111b2c35a3b100428c
Opcode Fuzzy Hash: c7eb657dd93a487a1b408308a5cee1605f67fec33ea92fcc769cf0e1f22a9284
Instruction Fuzzy Hash: E852BB74E01228CFDB64CF69C984BADBBB2BB89304F1081E9D509AB354DB359E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05B97198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7951f33e5622556c0994af687e0060bbe6e163ea9094f59db4c399f5c9fc5f
Instruction ID: 87dc53f246257a5ffd484db2a6463a84d559789cfdce41dea6f3da52d387a720
Opcode Fuzzy Hash: ef7951f33e5622556c0994af687e0060bbe6e163ea9094f59db4c399f5c9fc5f
Instruction Fuzzy Hash: 88C1A174E00218CFDB28DFA5D944B9DBBB2FB89304F2081A9D809AB354DB356E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05B95788 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd3d4bfa0f3b050feac9e78cc393dd7ff76445f68e1d544616b13c34a027b0c
Instruction ID: 7c1a45e60e10011081fd6b68e0acdfdaae93316a2f79c3a826c0c90adc291b95
Opcode Fuzzy Hash: acd3d4bfa0f3b050feac9e78cc393dd7ff76445f68e1d544616b13c34a027b0c
Instruction Fuzzy Hash: BEC19074E01218CFDB24DFA5D944BADBBB2FF89304F2081A9D809AB354DB356A85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B975F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb1f20f1dc80382b87ab269a6a42c2d1bf0f9df31d48bfe7e43c58cb5b232ce
Instruction ID: 1c0f1f06d71f8b87660d715aeb06676fbdfaf3f9aa41845ae62c734dd43c22d8
Opcode Fuzzy Hash: cdb1f20f1dc80382b87ab269a6a42c2d1bf0f9df31d48bfe7e43c58cb5b232ce
Instruction Fuzzy Hash: 91C1B174E01218DFDB24DFA5D944BADBBB2FB89304F2081A9D809AB354DB356E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05B95BE0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628cb6065d3bc8fbc1068ae74f51d50fb942eafd543d83cf2de62271ca370468
Instruction ID: f095d79c2a9d578fd4cb4a9081e98c67c7891caa6351f9bfec1275e0668f4303
Opcode Fuzzy Hash: 628cb6065d3bc8fbc1068ae74f51d50fb942eafd543d83cf2de62271ca370468
Instruction Fuzzy Hash: 80C1A074E01218CFDB28DFA5D944B9DBBB2EF89304F2081A9D809AB354DB356A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05B941D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138dd9b4ae34687460e5e5288b36ceeec6398bb901835d486bdec556fcefe1bf
Instruction ID: 6c4f61c4f36eec33fc90759e2bf119067ad6ced968ecf03671e75f67cd02a738
Opcode Fuzzy Hash: 138dd9b4ae34687460e5e5288b36ceeec6398bb901835d486bdec556fcefe1bf
Instruction Fuzzy Hash: B3C19174E01218CFDB28DFA5D944B9DBBB2FB89304F2081A9D809AB354DB356E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B95330 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce83187a1796a75a3d44df81af9e27fe71142206ef621fe5ea67e71ecf2c557e
Instruction ID: ea3e880bde53ba742b8ba1b956ec310d655fe0caab44aade274e25c7835b9945
Opcode Fuzzy Hash: ce83187a1796a75a3d44df81af9e27fe71142206ef621fe5ea67e71ecf2c557e
Instruction Fuzzy Hash: 56C1A074E01218CFDB28DFA5D944B9DBBB2EF89304F2081A9D809AB354DB356E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05B93920 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e8c12c97d646d993e1e2d7cc2514a5d114a904327c68c7a15ce1ef3feeec9e
Instruction ID: 3ad66be2a7da5d69df5272d16b176dee9cc8c7aefcbd8098fa503ff1b34e5e02
Opcode Fuzzy Hash: 93e8c12c97d646d993e1e2d7cc2514a5d114a904327c68c7a15ce1ef3feeec9e
Instruction Fuzzy Hash: 99C1A174E00218CFDB28DFA5D954B9DBBB2EB89304F2081A9D809AB354DB356E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B93D78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb349af87b47e50b64917d58f82957cdaa74a1df1c6f26bb32602d770d083227
Instruction ID: a915a0c061b93cdd287c432dc07b940f32cd0839c173a2eb966dabdbe0e886d3
Opcode Fuzzy Hash: bb349af87b47e50b64917d58f82957cdaa74a1df1c6f26bb32602d770d083227
Instruction Fuzzy Hash: F9C1A074E01218CFDB28DFA5D944B9DBBB2FB89304F2081A9D809AB354DB356E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B98750 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08a7cf33a5d20c5149c341986d0d02ed1eb01e45628beccf449df135fd78071
Instruction ID: af18e60e0e6ccd9bc138288916294a13273179134a6227193c2d911af010bcc8
Opcode Fuzzy Hash: e08a7cf33a5d20c5149c341986d0d02ed1eb01e45628beccf449df135fd78071
Instruction Fuzzy Hash: 35C1A174E01218CFDB28DFA5D944BADBBB2FB89304F2081A9D409AB354DB356E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B96D40 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20961a6cd6fd29d56aaceda8f8e72f77c21ed555979934701ec5623a9eba6d04
Instruction ID: 4f36068a5ed742767cce94e422d50fe5c6b5502149327fbfcdcf5321cdcf9e51
Opcode Fuzzy Hash: 20961a6cd6fd29d56aaceda8f8e72f77c21ed555979934701ec5623a9eba6d04
Instruction Fuzzy Hash: 99C1A074E01218CFDB28DFA5D944B9DBBB2FB89304F2081A9D809AB354DB356E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B97EA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753e6dca810319b48aa2806d0a6f2172631fcef6fb50c597ffcecf672224b82c
Instruction ID: 521cbe51522c434cde1130563d15105af9af56b7d4bcbbbaada848d7a714b395
Opcode Fuzzy Hash: 753e6dca810319b48aa2806d0a6f2172631fcef6fb50c597ffcecf672224b82c
Instruction Fuzzy Hash: 2FC1B174E00218CFDB28DFA5D944BADBBB2FB89304F2081A9D809AB354DB356D85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05B96490 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4024e39d701855328df1c9066ff3fd1214f8ca98bead91fb9aab3d3d209173eb
Instruction ID: 3a84944268f1ee64eb631a4cf71b4746d9cfb24b4eaaa4c09746ad9cef3c2795
Opcode Fuzzy Hash: 4024e39d701855328df1c9066ff3fd1214f8ca98bead91fb9aab3d3d209173eb
Instruction Fuzzy Hash: F9C1A274E01218CFDB28DFA5D954BADBBB2FB89304F2081A9D409AB354DB356E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05B94A80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be849f4d74c979414410d9b6d67c725d009338b2d91262aa175598b0aaf461ec
Instruction ID: 39068e573a953d9679069ff54f34268cf709c7feabcceb1e898867342f60a085
Opcode Fuzzy Hash: be849f4d74c979414410d9b6d67c725d009338b2d91262aa175598b0aaf461ec
Instruction Fuzzy Hash: 2EC1A274E01218CFDB28DFA5D944B9DBBB2FB89304F2081A9D809AB354DB356E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B982F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36398857aa61ca75b43f93d410c8d425964b8d6bbfbc3b86e844f8a39fe5cb3e
Instruction ID: 125bbbce76c7825c6f13ee16bcfdb6d4236bac387c1e2e17e6311acd1aee06a3
Opcode Fuzzy Hash: 36398857aa61ca75b43f93d410c8d425964b8d6bbfbc3b86e844f8a39fe5cb3e
Instruction Fuzzy Hash: 6CC1A174E01218CFDB24DFA5D944B9DBBB2FB89304F2081A9D809AB354DB356E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B968E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20aa5fe8d0a2bd6c142b96db6c92c1ef938237af835d9c69c3ecb57249df97db
Instruction ID: 7bfb01c159890ecc71d6452ba2565fad9436a29383dae9cbae37532e4ec885d9
Opcode Fuzzy Hash: 20aa5fe8d0a2bd6c142b96db6c92c1ef938237af835d9c69c3ecb57249df97db
Instruction Fuzzy Hash: 78C1A174E01218CFDB28DFA5D944B9DBBB2FB89304F2081A9D809AB354DB356E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05B94ED8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfbd3a30432c3a95e5e18c2cf13229b4f2cb4f2bff189779ba3537144540473
Instruction ID: fe8a268fe40f74a6a1ee956e3f6af2bc834f31ab1f875aa78e4fb0e816685af4
Opcode Fuzzy Hash: fdfbd3a30432c3a95e5e18c2cf13229b4f2cb4f2bff189779ba3537144540473
Instruction Fuzzy Hash: 51C19F74E01218CFDB28DFA5D944B9DBBB2FF89304F2081A9D809AB354DB356A85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B934C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed992f49f6a3f821176b31d0f158ddee61d47f213c4c966a97d92d514a22a7d4
Instruction ID: 6e67f4545f5ae581a148d418b624d8feab5c8ec94e4445541a58e83d6289ed1c
Opcode Fuzzy Hash: ed992f49f6a3f821176b31d0f158ddee61d47f213c4c966a97d92d514a22a7d4
Instruction Fuzzy Hash: E6C1B274E01218DFDB24DFA5D944BADBBB2FB89304F2081A9D809AB354DB356E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05B96038 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875c6381a7ea5fed11f2a6987602bff94c0eb9d55f7f0aa15c31e6535895fac5
Instruction ID: 54c61d6b8daa35e1ab56c4c25e1b89577a905f0f089e291b61959355833abdc4
Opcode Fuzzy Hash: 875c6381a7ea5fed11f2a6987602bff94c0eb9d55f7f0aa15c31e6535895fac5
Instruction Fuzzy Hash: 61C1A174E01218CFDB28DFA5D944B9DBBB2FB89304F2081A9D809AB354DB356E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B94628 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d398781568d39954ab1ce3cc51f5aea5ffaac5fce38be01860f9321a7e1b7b
Instruction ID: 8c798fce135f7ee096b396247991ebde1757787a6a6107bc8f928754bb6ef45e
Opcode Fuzzy Hash: 24d398781568d39954ab1ce3cc51f5aea5ffaac5fce38be01860f9321a7e1b7b
Instruction Fuzzy Hash: A0C1A174E01218CFDB28DFA5D944BADBBB2FB89304F2081A9D409AB354DB356E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B9DE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207f1cd702e130895b1ad7bbf5451dd06d04fea29193c6ecd8a523128fb6119c
Instruction ID: 82cbd78853da889120d45ff1d0012a1be71dbaed5a61083403eb486cebea4e97
Opcode Fuzzy Hash: 207f1cd702e130895b1ad7bbf5451dd06d04fea29193c6ecd8a523128fb6119c
Instruction Fuzzy Hash: BAC1A274E01218CFDB24DFA5D944B9DBBB2FB89304F2081A9D809AB354DB35AE85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B93070 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003bb9fb92b3063c2a136de8cba4d2c5aa4f82e3fd451c77df4ca90b1f2b95d5
Instruction ID: 969a8aa5fb91dcce9fc50b68278bc548f374ef186ea213a4e074ced886d3f28c
Opcode Fuzzy Hash: 003bb9fb92b3063c2a136de8cba4d2c5aa4f82e3fd451c77df4ca90b1f2b95d5
Instruction Fuzzy Hash: CCC1B174E01218CFDB24DFA5D944BADBBB2FB89304F2081A9D809AB354DB356E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05B97A48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa2af1fa046756041193371acd357434e5ac67df26b34f94bf35e74b150ba9a
Instruction ID: 580f7f1954adeae504f0ae28e23e8be52b59bdf4c698b9f3b6dccaec740112ea
Opcode Fuzzy Hash: caa2af1fa046756041193371acd357434e5ac67df26b34f94bf35e74b150ba9a
Instruction Fuzzy Hash: 16C1B174E00218CFDB28DFA5D944B9DBBB2FB89304F2081A9D809AB354DB356E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05B9C020 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b198947d4c8b201ecdbadbee326808976ce34187a7c0a2d962efe9ddb29408
Instruction ID: 1f955202e3a214d7a043d552f6944c1ffec86b512090627cab29abc1595e7451
Opcode Fuzzy Hash: 43b198947d4c8b201ecdbadbee326808976ce34187a7c0a2d962efe9ddb29408
Instruction Fuzzy Hash: 9CB19274E00218CFDB54DFA9D984A9DBBB2FF89314F2481A9D819AB365DB34AD41CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05B9C00F Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70bcf3bf3de0664179eb30feed13d59a99f7597534c477d29074e3791a73e06
Instruction ID: b65866639a2e53866acacd5f7e676295d045a2e0f1258076e1b92eb6626e2f2b
Opcode Fuzzy Hash: b70bcf3bf3de0664179eb30feed13d59a99f7597534c477d29074e3791a73e06
Instruction Fuzzy Hash: 8C518674E04608CFDB08DFAAD584A9DBBF2FF89300F248169D419AB365DB34A942CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05B9C336 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.634508467.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b90000_oAE7nqtsNA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3175626daabaaa3cfb2411a65e7f0d6bd148dcc54c915b473b1625d4dfd737
Instruction ID: 12311957a9072c659f0d84a2477da72dae2738f55bba8e98bbc35186541471dd
Opcode Fuzzy Hash: da3175626daabaaa3cfb2411a65e7f0d6bd148dcc54c915b473b1625d4dfd737
Instruction Fuzzy Hash: 5ED05E38D0936C8ACF10DF54D9403EEB772BB82200F0020E5800CB7210C7305E048F46

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oAE7nqtsNA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oAE7nqtsNA.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
oAE7nqtsNA.exe

Function 015C17A0 Relevance: .5, Instructions: 506
COMMON

Function 015CBF80 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201
COMMON

Function 015CE4AB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Function 015CD69C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Function 015CC3F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Function 015CBA20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Function 015CAA97 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Function 015CAA98 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Function 015CC170 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Function 03025587 Relevance: 2.1, APIs: 1, Instructions: 636
libraryCOMMON

Function 030283C9 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Function 03026111 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Function 05B9EF88 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Function 05B9F3E0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Function 05B9EB30 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Function 05B9E280 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Function 05B9E6D8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Function 05B9F838 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Function 05B9F828 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 05B9E6C8 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre