Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.207585.14889.25639

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Lazy.207585.14889.25639 (renamed file extension from 25639 to exe)
Analysis ID:	680333
MD5:	62a5493cbeda91c0d3b7593bb0a00424
SHA1:	9e6941500fbb55c643ce5e59e3bd86e114f4a73d
SHA256:	60383046971044bc8d25ec8a3cc0bf559dca620af2b978d2cd7f5c35363c44c5
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Lazy.207585.14889.exe (PID: 1100 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe" MD5: 62A5493CBEDA91C0D3B7593BB0A00424)

RegSvcs.exe (PID: 5980 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

RegSvcs.exe (PID: 3736 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ventas@bluemix.cl", "Password": "bluemix2020737", "Host": "mail.bluemix.cl"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000000.268432848.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.268432848.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.268432848.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x301f8:$a13: get_DnsResolver 0x2ea06:$a20: get_LastAccessed 0x30b76:$a27: set_InternalServerPort 0x30e95:$a30: set_GuidMasterKey 0x2eb0d:$a33: get_Clipboard 0x2eb1b:$a34: get_Keyboard 0x2fe13:$a35: get_ShiftKeyDown 0x2fe24:$a36: get_AltKeyDown 0x2eb28:$a37: get_Password 0x2f5c3:$a38: get_PasswordHash 0x305f8:$a39: get_DefaultCredentials
00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1e3c88:$a13: get_DnsResolver 0x2182a8:$a13: get_DnsResolver 0x1e2496:$a20: get_LastAccessed 0x216ab6:$a20: get_LastAccessed 0x1e4606:$a27: set_InternalServerPort 0x218c26:$a27: set_InternalServerPort 0x1e4925:$a30: set_GuidMasterKey 0x218f45:$a30: set_GuidMasterKey 0x1e259d:$a33: get_Clipboard 0x216bbd:$a33: get_Clipboard 0x1e25ab:$a34: get_Keyboard 0x216bcb:$a34: get_Keyboard 0x1e38a3:$a35: get_ShiftKeyDown 0x217ec3:$a35: get_ShiftKeyDown 0x1e38b4:$a36: get_AltKeyDown 0x217ed4:$a36: get_AltKeyDown 0x1e25b8:$a37: get_Password 0x216bd8:$a37: get_Password 0x1e3053:$a38: get_PasswordHash 0x217673:$a38: get_PasswordHash 0x1e4088:$a39: get_DefaultCredentials
00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.Lazy.207585.14889.exe PID: 1100	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x46784:$s5: AEAAAAMAAQqVT 0x466f5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: SecuriteInfo.com.Variant.Lazy.207585.14889.exe PID: 1100	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.Lazy.207585.14889.exe PID: 1100	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.Lazy.207585.14889.exe PID: 1100	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x26d1c:$a13: get_DnsResolver 0x25ba7:$a20: get_LastAccessed 0x2745c:$a27: set_InternalServerPort 0x27630:$a30: set_GuidMasterKey 0x25c8c:$a33: get_Clipboard 0x25c9a:$a34: get_Keyboard 0x26a72:$a35: get_ShiftKeyDown 0x26a83:$a36: get_AltKeyDown 0x25ca7:$a37: get_Password 0x2641f:$a38: get_PasswordHash 0x27016:$a39: get_DefaultCredentials
Process Memory Space: RegSvcs.exe PID: 3736	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 3736	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3736	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x285fb:$a13: get_DnsResolver 0x27069:$a20: get_LastAccessed 0x28f28:$a27: set_InternalServerPort 0x29184:$a30: set_GuidMasterKey 0x2715c:$a33: get_Clipboard 0x2716a:$a34: get_Keyboard 0x282b5:$a35: get_ShiftKeyDown 0x282c6:$a36: get_AltKeyDown 0x27177:$a37: get_Password 0x27b6e:$a38: get_PasswordHash 0x289cf:$a39: get_DefaultCredentials
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32cc1:$s10: logins 0x32728:$s11: credential 0x2ed0d:$g1: get_Clipboard 0x2ed1b:$g2: get_Keyboard 0x2ed28:$g3: get_Password 0x30003:$g4: get_CtrlKeyDown 0x30013:$g5: get_ShiftKeyDown 0x30024:$g6: get_AltKeyDown
6.0.RegSvcs.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x303f8:$a13: get_DnsResolver 0x2ec06:$a20: get_LastAccessed 0x30d76:$a27: set_InternalServerPort 0x31095:$a30: set_GuidMasterKey 0x2ed0d:$a33: get_Clipboard 0x2ed1b:$a34: get_Keyboard 0x30013:$a35: get_ShiftKeyDown 0x30024:$a36: get_AltKeyDown 0x2ed28:$a37: get_Password 0x2f7c3:$a38: get_PasswordHash 0x307f8:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30ec1:$s10: logins 0x30928:$s11: credential 0x2cf0d:$g1: get_Clipboard 0x2cf1b:$g2: get_Keyboard 0x2cf28:$g3: get_Password 0x2e203:$g4: get_CtrlKeyDown 0x2e213:$g5: get_ShiftKeyDown 0x2e224:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e5f8:$a13: get_DnsResolver 0x2ce06:$a20: get_LastAccessed 0x2ef76:$a27: set_InternalServerPort 0x2f295:$a30: set_GuidMasterKey 0x2cf0d:$a33: get_Clipboard 0x2cf1b:$a34: get_Keyboard 0x2e213:$a35: get_ShiftKeyDown 0x2e224:$a36: get_AltKeyDown 0x2cf28:$a37: get_Password 0x2d9c3:$a38: get_PasswordHash 0x2e9f8:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32cc1:$s10: logins 0x672e1:$s10: logins 0x32728:$s11: credential 0x66d48:$s11: credential 0x2ed0d:$g1: get_Clipboard 0x6332d:$g1: get_Clipboard 0x2ed1b:$g2: get_Keyboard 0x6333b:$g2: get_Keyboard 0x2ed28:$g3: get_Password 0x63348:$g3: get_Password 0x30003:$g4: get_CtrlKeyDown 0x64623:$g4: get_CtrlKeyDown 0x30013:$g5: get_ShiftKeyDown 0x64633:$g5: get_ShiftKeyDown 0x30024:$g6: get_AltKeyDown 0x64644:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x303f8:$a13: get_DnsResolver 0x64a18:$a13: get_DnsResolver 0x2ec06:$a20: get_LastAccessed 0x63226:$a20: get_LastAccessed 0x30d76:$a27: set_InternalServerPort 0x65396:$a27: set_InternalServerPort 0x31095:$a30: set_GuidMasterKey 0x656b5:$a30: set_GuidMasterKey 0x2ed0d:$a33: get_Clipboard 0x6332d:$a33: get_Clipboard 0x2ed1b:$a34: get_Keyboard 0x6333b:$a34: get_Keyboard 0x30013:$a35: get_ShiftKeyDown 0x64633:$a35: get_ShiftKeyDown 0x30024:$a36: get_AltKeyDown 0x64644:$a36: get_AltKeyDown 0x2ed28:$a37: get_Password 0x63348:$a37: get_Password 0x2f7c3:$a38: get_PasswordHash 0x63de3:$a38: get_PasswordHash 0x307f8:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.3767c10.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.3767c10.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.3767c10.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x117941:$s10: logins 0x14bf61:$s10: logins 0x1173a8:$s11: credential 0x14b9c8:$s11: credential 0x11398d:$g1: get_Clipboard 0x147fad:$g1: get_Clipboard 0x11399b:$g2: get_Keyboard 0x147fbb:$g2: get_Keyboard 0x1139a8:$g3: get_Password 0x147fc8:$g3: get_Password 0x114c83:$g4: get_CtrlKeyDown 0x1492a3:$g4: get_CtrlKeyDown 0x114c93:$g5: get_ShiftKeyDown 0x1492b3:$g5: get_ShiftKeyDown 0x114ca4:$g6: get_AltKeyDown 0x1492c4:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.3767c10.2.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x115078:$a13: get_DnsResolver 0x149698:$a13: get_DnsResolver 0x113886:$a20: get_LastAccessed 0x147ea6:$a20: get_LastAccessed 0x1159f6:$a27: set_InternalServerPort 0x14a016:$a27: set_InternalServerPort 0x115d15:$a30: set_GuidMasterKey 0x14a335:$a30: set_GuidMasterKey 0x11398d:$a33: get_Clipboard 0x147fad:$a33: get_Clipboard 0x11399b:$a34: get_Keyboard 0x147fbb:$a34: get_Keyboard 0x114c93:$a35: get_ShiftKeyDown 0x1492b3:$a35: get_ShiftKeyDown 0x114ca4:$a36: get_AltKeyDown 0x1492c4:$a36: get_AltKeyDown 0x1139a8:$a37: get_Password 0x147fc8:$a37: get_Password 0x114443:$a38: get_PasswordHash 0x148a63:$a38: get_PasswordHash 0x115478:$a39: get_DefaultCredentials
Click to see the 11 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Virustotal: Detection: 57%			Perma Link
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe	ReversingLabs: Detection: 35%

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Joe Sandbox ML: detected

Source: 6.0.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 6.0.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ventas@bluemix.cl", "Password": "bluemix2020737", "Host": "mail.bluemix.cl"}

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

IP Address: 104.149.221.234 104.149.221.234

Source: global traffic

TCP traffic: 192.168.2.4:49757 -> 104.149.221.234:587

Source: global traffic

TCP traffic: 192.168.2.4:49757 -> 104.149.221.234:587

Source: RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://BhHVua.com
Source: RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: RegSvcs.exe, 00000006.00000002.505019128.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bluemix.cl
Source: RegSvcs.exe, 00000006.00000002.508271478.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.505019128.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000006.00000003.314168789.0000000005DFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000006.00000002.508271478.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.505019128.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000006.00000002.508271478.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.505019128.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.505118218.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.505142726.0000000002DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d1GB0YAapow6XmOM.org
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000006.00000002.505019128.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.bluemix.cl
Source: RegSvcs.exe, 00000006.00000002.508271478.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.505019128.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000003.235850074.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000003.235850074.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comP
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000003.235850074.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.combig
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000003.235850074.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comig4
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: RegSvcs.exe, 00000006.00000002.508271478.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.505019128.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.bluemix.cl

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.3767c10.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.3767c10.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000000.268432848.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.207585.14889.exe PID: 1100, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 3736, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 6.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF4E9DFE3u002dF8F3u002d41FCu002dB96Cu002d8730A4AF5432u007d/E6DC0371u002dC852u002d4937u002d8582u002dBEDB15C72A37.cs

Large array initialization: .cctor: array initializer size 11673

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.3767c10.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.3767c10.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000000.268432848.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.207585.14889.exe PID: 1100, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.207585.14889.exe PID: 1100, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: RegSvcs.exe PID: 3736, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Code function: 0_2_00BC5028	0_2_00BC5028
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Code function: 0_2_00BCCB54	0_2_00BCCB54
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Code function: 0_2_00BC5018	0_2_00BC5018
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Code function: 0_2_00BCF3B0	0_2_00BCF3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Code function: 0_2_00BCF3C0	0_2_00BCF3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Code function: 0_2_06DD0D4C	0_2_06DD0D4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_029AF3C8	6_2_029AF3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_029AF080	6_2_029AF080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_029A6120	6_2_029A6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_054B1FF8	6_2_054B1FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_054B0040	6_2_054B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_054BCA60	6_2_054BCA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06326E80	6_2_06326E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632F7B7	6_2_0632F7B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632A380	6_2_0632A380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063275F0	6_2_063275F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321662	6_2_06321662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632166A	6_2_0632166A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632E250	6_2_0632E250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632165E	6_2_0632165E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216B2	6_2_063216B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216B6	6_2_063216B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216BA	6_2_063216BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216BE	6_2_063216BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216A6	6_2_063216A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216AA	6_2_063216AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216AE	6_2_063216AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632169A	6_2_0632169A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632169E	6_2_0632169E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216F2	6_2_063216F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216F6	6_2_063216F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216FA	6_2_063216FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216FE	6_2_063216FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216E2	6_2_063216E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216E6	6_2_063216E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216EA	6_2_063216EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216EE	6_2_063216EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216D2	6_2_063216D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216D6	6_2_063216D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216DA	6_2_063216DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216DE	6_2_063216DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216C2	6_2_063216C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216C6	6_2_063216C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216CA	6_2_063216CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216CE	6_2_063216CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321732	6_2_06321732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06323330	6_2_06323330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321736	6_2_06321736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632173A	6_2_0632173A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321722	6_2_06321722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321726	6_2_06321726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632172A	6_2_0632172A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632172E	6_2_0632172E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321712	6_2_06321712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321716	6_2_06321716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632171A	6_2_0632171A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632171E	6_2_0632171E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321702	6_2_06321702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321706	6_2_06321706
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632170A	6_2_0632170A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632170E	6_2_0632170E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321742	6_2_06321742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321746	6_2_06321746
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06320040	6_2_06320040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063F2978	6_2_063F2978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063F56C0	6_2_063F56C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063F8611	6_2_063F8611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063F4CF0	6_2_063F4CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063F68A0	6_2_063F68A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 054B5A60 appears 57 times

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000000.230304373.00000000002AA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamet2mR0.exeH vs SecuriteInfo.com.Variant.Lazy.207585.14889.exe
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.289420556.0000000008C20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Variant.Lazy.207585.14889.exe
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Variant.Lazy.207585.14889.exe
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Variant.Lazy.207585.14889.exe
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevZZZaOqVzVvOBwlBSUZqc.exe4 vs SecuriteInfo.com.Variant.Lazy.207585.14889.exe
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.288934216.0000000006EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs SecuriteInfo.com.Variant.Lazy.207585.14889.exe
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.273362456.0000000002691000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs SecuriteInfo.com.Variant.Lazy.207585.14889.exe
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.273362456.0000000002691000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevZZZaOqVzVvOBwlBSUZqc.exe4 vs SecuriteInfo.com.Variant.Lazy.207585.14889.exe
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Binary or memory string: OriginalFilenamet2mR0.exeH vs SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Virustotal: Detection: 57%
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe	ReversingLabs: Detection: 35%

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Lazy.207585.14889.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@5/2@2/1

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Mutant created: \Sessions\1\BaseNamedObjects\YNyZUGITHvKLmbxGFrydO

Source: 6.0.RegSvcs.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.RegSvcs.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321662 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632166A push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632165E push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216B2 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216B6 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216BA push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216BE push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216A6 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216AA push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216AE push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632169A push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632169E push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216F2 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0632F6F1 push es; ret	6_2_0632F6F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216F6 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216FA push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216FE push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216E2 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216E6 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216EA push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216EE push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216D2 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216D6 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216DA push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216DE push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216C2 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216C6 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216CA push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_063216CE push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321732 push es; ret	6_2_063218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06321736 push es; ret	6_2_063218C4

Source: initial sample

Static PE information: section name: .text entropy: 7.41882242323763

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.207585.14889.exe PID: 1100, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe TID: 1748

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window / User API: threadDelayed 9689

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000006.00000002.508271478.0000000005D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_0632DC88 LdrInitializeThunk,

6_2_0632DC88

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 436000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6D2008	Jump to behavior

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.3767c10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.268432848.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.207585.14889.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3736, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3736, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.384c890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.207585.14889.exe.3767c10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.268432848.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.207585.14889.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3736, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	211 Process Injection	1 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	131 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	211 Process Injection	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Deobfuscate/Decode Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	3 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Lazy.207585.14889.exe	58%	Virustotal		Browse
SecuriteInfo.com.Variant.Lazy.207585.14889.exe	36%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
SecuriteInfo.com.Variant.Lazy.207585.14889.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
bluemix.cl	0%	Virustotal		Browse
mail.bluemix.cl	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fonts.comig4	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.fonts.comP	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://api.ipify.org%%startupfolder%	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://d1GB0YAapow6XmOM.org	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://mail.bluemix.cl	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://BhHVua.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://bluemix.cl	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.fonts.combig	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bluemix.cl	104.149.221.234	true	false	0%, Virustotal, Browse	unknown
mail.bluemix.cl	unknown	unknown	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	RegSvcs.exe, 00000006.00000002.508271478.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.505019128.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.comig4	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000003.235850074.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comP	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000003.235850074.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%%startupfolder%	RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.goodfont.co.kr	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://d1GB0YAapow6XmOM.org	RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.505118218.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.505142726.0000000002DBA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.bluemix.cl	RegSvcs.exe, 00000006.00000002.505019128.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://BhHVua.com	RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000003.235850074.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://bluemix.cl	RegSvcs.exe, 00000006.00000002.505019128.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.combig	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000003.235850074.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.Variant.Lazy.207585.14889.exe, 00000000.00000002.285875757.0000000006812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%	RegSvcs.exe, 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.149.221.234	bluemix.cl	United States		397423	TIER-NETUS	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680333
Start date and time: 08/08/202212:06:12	2022-08-08 12:06:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Variant.Lazy.207585.14889.25639 (renamed file extension from 25639 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@5/2@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 88% Number of executed functions: 96 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:07:27	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Variant.Lazy.207585.14889.exe modified
12:07:35	API Interceptor	699x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.149.221.234	OLORI.exe	Get hash	malicious	Browse
	payment for invoice 64249.docx	Get hash	malicious	Browse
	payment for invoice64249.docx	Get hash	malicious	Browse
	payment for invoice 64249.docx	Get hash	malicious	Browse
	Revised Invoice.xlsx	Get hash	malicious	Browse
	c33l2KS7k0.exe	Get hash	malicious	Browse
	scan1962.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.MSILHeracles.36859.299.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TIER-NETUS	https://andromadehk.net/frontpage/Webmail/webmail.php?email=cactus@gmail.com	Get hash	malicious	Browse	8.39.235.63
	OLORI.exe	Get hash	malicious	Browse	104.149.221.234
	payment for invoice 64249.docx	Get hash	malicious	Browse	104.149.221.234
	payment for invoice64249.docx	Get hash	malicious	Browse	104.149.221.234
	payment for invoice 64249.docx	Get hash	malicious	Browse	104.149.221.234
	Revised Invoice.xlsx	Get hash	malicious	Browse	104.149.221.234
	c33l2KS7k0.exe	Get hash	malicious	Browse	104.149.221.234
	scan1962.exe	Get hash	malicious	Browse	104.149.221.234
	SecuriteInfo.com.Variant.MSILHeracles.36859.299.exe	Get hash	malicious	Browse	104.149.221.234
	mirai.m68k	Get hash	malicious	Browse	155.254.17.216
	elmAKUWDRm	Get hash	malicious	Browse	104.149.220.211
	y1vJPim631	Get hash	malicious	Browse	181.214.133.87
	GlKt2OVVbM	Get hash	malicious	Browse	155.254.17.212
	http://bluesail.cc/Webmail/webmail.php?email=sean@virtualintelligencebriefing.com	Get hash	malicious	Browse	198.37.123.126
	PO#325342.xlsx	Get hash	malicious	Browse	198.37.123.126
	https://jpseuroauto.com/.wwww/600/?uid=cst1@anaintercontinental-tokyo.jp	Get hash	malicious	Browse	192.154.228.33
	http://macro-blue.cam/Webmail/1/webmail.php?email=meqatil@bein.com	Get hash	malicious	Browse	198.37.123.126
	http://macro-blue.cam/Webmail/1/webmail.php?email=$email	Get hash	malicious	Browse	198.37.123.126
	Nw PN #23069746XVNXH8W630HXFRATQH.vbs	Get hash	malicious	Browse	192.154.229.64
	arm	Get hash	malicious	Browse	192.154.202.30

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	835
Entropy (8bit):	4.694294591169137
Encrypted:	false
SSDEEP:	24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
MD5:	6EB47C1CF858E25486E42440074917F2
SHA1:	6A63F93A95E1AE831C393A97158C526A4FA0FAAE
SHA-256:	9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
SHA-512:	08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.41549459780222
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Variant.Lazy.207585.14889.exe
File size:	884736
MD5:	62a5493cbeda91c0d3b7593bb0a00424
SHA1:	9e6941500fbb55c643ce5e59e3bd86e114f4a73d
SHA256:	60383046971044bc8d25ec8a3cc0bf559dca620af2b978d2cd7f5c35363c44c5
SHA512:	28c2432e27bc3964a61c27dc5ba1ef98dea9f8a7f07e6bed32dfd42d18399f18c3cc952a394d15c494d0b4195552ef5f0f8925998e671810cc98f27909159e69
SSDEEP:	12288:mhBQEIjT6JFjwi9BZNbvYbagLEtxGmfVMmI/OLB8DIEBIvfkOJxjza39AeLKvrBl:quzkjwi9BHtgL4p8OLmBIjzjZ
TLSH:	0E155CA8319072DED927CA31CAA41C74EA617C77A71B921794633299DF3E987DF100B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U.b..............P..j............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4d892e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F055E1 [Mon Aug 8 00:16:33 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd88d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x11f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd6934	0xd6a00	False	0.7423740535818287	data	7.41882242323763	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x11f0	0x1200	False	0.3927951388888889	data	5.044747416478067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xda0a0	0x334	data
RT_MANIFEST	0xda3d4	0xe15	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 12:07:50.903929949 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:51.060014963 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:51.060251951 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:51.277803898 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:51.278224945 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:51.434055090 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:51.434320927 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:51.592422962 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:51.629565954 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:51.797372103 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:51.797389030 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:51.797400951 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:51.797409058 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:51.797485113 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:51.797517061 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:51.801029921 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:51.830961943 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:51.986874104 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:52.049287081 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:52.133793116 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:52.290673018 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:52.292047977 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:52.449750900 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:52.450333118 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:52.630346060 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:52.631134033 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:52.787030935 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:52.787491083 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:52.951402903 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:52.951924086 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:53.107825041 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:53.108823061 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:53.108947039 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:53.109611988 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:53.109689951 CEST	49757	587	192.168.2.4	104.149.221.234
Aug 8, 2022 12:07:53.264444113 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:53.264504910 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:53.265361071 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:53.265377998 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:53.448128939 CEST	587	49757	104.149.221.234	192.168.2.4
Aug 8, 2022 12:07:53.643105030 CEST	49757	587	192.168.2.4	104.149.221.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 12:07:50.034467936 CEST	62099	53	192.168.2.4	8.8.8.8
Aug 8, 2022 12:07:50.425446033 CEST	53	62099	8.8.8.8	192.168.2.4
Aug 8, 2022 12:07:50.483175993 CEST	53775	53	192.168.2.4	8.8.8.8
Aug 8, 2022 12:07:50.875464916 CEST	53	53775	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 12:07:50.034467936 CEST	192.168.2.4	8.8.8.8	0xe61e	Standard query (0)	mail.bluemix.cl	A (IP address)	IN (0x0001)
Aug 8, 2022 12:07:50.483175993 CEST	192.168.2.4	8.8.8.8	0x5ca5	Standard query (0)	mail.bluemix.cl	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 12:07:50.425446033 CEST	8.8.8.8	192.168.2.4	0xe61e	No error (0)	mail.bluemix.cl	bluemix.cl		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 12:07:50.425446033 CEST	8.8.8.8	192.168.2.4	0xe61e	No error (0)	bluemix.cl		104.149.221.234	A (IP address)	IN (0x0001)
Aug 8, 2022 12:07:50.875464916 CEST	8.8.8.8	192.168.2.4	0x5ca5	No error (0)	mail.bluemix.cl	bluemix.cl		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 12:07:50.875464916 CEST	8.8.8.8	192.168.2.4	0x5ca5	No error (0)	bluemix.cl		104.149.221.234	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 8, 2022 12:07:51.277803898 CEST	587	49757	104.149.221.234	192.168.2.4	220-srv34.benzahosting.cl ESMTP Exim 4.95 #2 Mon, 08 Aug 2022 06:07:51 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 8, 2022 12:07:51.278224945 CEST	49757	587	192.168.2.4	104.149.221.234	EHLO 067773
Aug 8, 2022 12:07:51.434055090 CEST	587	49757	104.149.221.234	192.168.2.4	250-srv34.benzahosting.cl Hello 067773 [102.129.143.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 8, 2022 12:07:51.434320927 CEST	49757	587	192.168.2.4	104.149.221.234	STARTTLS
Aug 8, 2022 12:07:51.592422962 CEST	587	49757	104.149.221.234	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	12:07:14
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.207585.14889.exe"
Imagebase:	0x1d0000
File size:	884736 bytes
MD5 hash:	62A5493CBEDA91C0D3B7593BB0A00424
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.280169100.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.275554875.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	12:07:30
Start date:	08/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0xb0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	12:07:31
Start date:	08/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x5f0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.268432848.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.268432848.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.268432848.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.501747915.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	138
Total number of Limit Nodes:	5

Executed Functions

Function 06DD0D4C Relevance: .9, Instructions: 931
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.288496950.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5432f2a46eada701f0ca52d02ce6601054dc4fd5f2e1d0cc0567ab56cf461af6
Instruction ID: 7c5b922caa9b1c555c1a9464a0db3db95af27b8ce55e107dccef0fb60e66f1c7
Opcode Fuzzy Hash: 5432f2a46eada701f0ca52d02ce6601054dc4fd5f2e1d0cc0567ab56cf461af6
Instruction Fuzzy Hash: FDA21831D106198FCB15EF68C8947DDB7B2FF89304F1482AAD90AA7251EB70AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5028 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244f04139bb2abe52cba337f362e6e4478a78138752aca769045212b01c9607b
Instruction ID: da7c86b32ad6471e81d05d3e499dd03128ba8aaa83b040b9f70db914598c8bbb
Opcode Fuzzy Hash: 244f04139bb2abe52cba337f362e6e4478a78138752aca769045212b01c9607b
Instruction Fuzzy Hash: 35D1F674E05618DFCB24CFA4D584B9DBBF2FB49300F2094AAD51AAB354DB70A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5018 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b478d3df73d546c34200daa2795301c83f359e811f77038d7a6f16671444345d
Instruction ID: 2b23a060e2719dd532bd3b9a12a823273b6f2f225fa7f628c22a64a8fbb52a87
Opcode Fuzzy Hash: b478d3df73d546c34200daa2795301c83f359e811f77038d7a6f16671444345d
Instruction Fuzzy Hash: 48D10674E05618DFCB24CFA4D484B9DBBF2FB49300F2094AAD51AAB364DB34A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC5F8 Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BCC668
GetCurrentThread.KERNEL32 ref: 00BCC6A5
GetCurrentProcess.KERNEL32 ref: 00BCC6E2
GetCurrentThreadId.KERNEL32 ref: 00BCC73B

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0351138a4c275e4bb4dc2015a029c710fe3cbd92a634b26d3833bd3af41c08f9
Instruction ID: 39b3e75302e763d93ac1e5a653ef3017177a359e91dfe840930037a940fde5c8
Opcode Fuzzy Hash: 0351138a4c275e4bb4dc2015a029c710fe3cbd92a634b26d3833bd3af41c08f9
Instruction Fuzzy Hash: 045145B09006888FDB10CFA9D648BDEBFF1AF49318F2484AEE409A7351CB745884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC608 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BCC668
GetCurrentThread.KERNEL32 ref: 00BCC6A5
GetCurrentProcess.KERNEL32 ref: 00BCC6E2
GetCurrentThreadId.KERNEL32 ref: 00BCC73B

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d258694ccb5198147311da86e2249031a94a58783bd6696c734916274735fe85
Instruction ID: 6e9f19971eb66535e47d49e5855fe9ff9ade5d6574eb976607ec563fb27e583f
Opcode Fuzzy Hash: d258694ccb5198147311da86e2249031a94a58783bd6696c734916274735fe85
Instruction Fuzzy Hash: 425126B09006498FDB14CFA9D648BDEBBF1EF49318F20846AE419B7350DB746984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA328 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BCA56E

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5ff885076596e305f5c17b51ddf61851a572e46d0279d64640f9c66415dc2331
Instruction ID: 91a6a27713b5b827ed738da9a3ddfda8b461487e442856cb84fa581d699353ca
Opcode Fuzzy Hash: 5ff885076596e305f5c17b51ddf61851a572e46d0279d64640f9c66415dc2331
Instruction Fuzzy Hash: A7712570A00B098FDB24DF29D055B9AB7F1FF88308F00896DD45AD7B50D775E9498B91

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAB6D Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BCA5E9,00000800,00000000,00000000), ref: 00BCABFA

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f3c53f1cac97ecfe12dcc9ce297bdaf536948f6ba24992eb6490f6240032d69b
Instruction ID: 708f29af479891f7362b71c7a8f4bc336afc670af558fc43492919e0607cb968
Opcode Fuzzy Hash: f3c53f1cac97ecfe12dcc9ce297bdaf536948f6ba24992eb6490f6240032d69b
Instruction Fuzzy Hash: D72125B28043888FCB11CFA9C444AEEBFF5EB49224F04845ED455A7611C375A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCC30 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BCCCBF

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8592270883d1695d3907c43995b80a8880b95912ad7ea214c0ddd9cc48459c02
Instruction ID: 35135fe83a4a36ff0003f8255df0d2a5e862ee8849602fa1244542d3797ee78d
Opcode Fuzzy Hash: 8592270883d1695d3907c43995b80a8880b95912ad7ea214c0ddd9cc48459c02
Instruction Fuzzy Hash: 912103B5D00248AFDB10CFAAD885ADEBFF5FB48324F14841AE819A3710D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCC38 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BCCCBF

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 29e937297482973df52c2a0cdb346623fcd8a7051a9546bd6a954a48b57ac18a
Instruction ID: 0a0628bf542a87ff86ae62f1ae9f8ebdad347242a93323c5ccc82bf276b51cc5
Opcode Fuzzy Hash: 29e937297482973df52c2a0cdb346623fcd8a7051a9546bd6a954a48b57ac18a
Instruction Fuzzy Hash: DC21C4B59002489FDB10CFA9D584ADEBFF5EB48324F14845AE959A3710D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC96F8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BCA5E9,00000800,00000000,00000000), ref: 00BCABFA

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0a9b0f71b7b5e359e7eb3dfc5e534c4772d964e4f3362175a26a474c547f41a9
Instruction ID: 858eef27c5d0dc92ad5302ee39f0510c1e01e8a314a090352334a627032dcaa0
Opcode Fuzzy Hash: 0a9b0f71b7b5e359e7eb3dfc5e534c4772d964e4f3362175a26a474c547f41a9
Instruction Fuzzy Hash: F81103B6D003489FCB10CF9AC484BEEBBF5EB48324F14846EE819A7610C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 056EDCD4 Relevance: 1.6, Strings: 1, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<ok, xrefs: 056EF76F

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: <ok
API String ID: 0-1043059258
Opcode ID: 026e665c7c1a786bfea3f0800770f14064e2c8231f50e97aa1f39ef68dfb9d7a
Instruction ID: 17712fed93c25b19f6d3f75402f8000ec49781345e68f87aa348aa1f84e47352
Opcode Fuzzy Hash: 026e665c7c1a786bfea3f0800770f14064e2c8231f50e97aa1f39ef68dfb9d7a
Instruction Fuzzy Hash: 7E910F70A06348DFCB04DFA5E8486AEFBF6FF85314F10846AE446A7751DB34A846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA508 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BCA56E

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8cf2e4b244ce551ca28c216dd2f6a77e14026d5a96328381585c9fbd9257d692
Instruction ID: 354824b119730f151e1ba1350eb6196dabecc5b0efedc37e6b33db99d598bc5a
Opcode Fuzzy Hash: 8cf2e4b244ce551ca28c216dd2f6a77e14026d5a96328381585c9fbd9257d692
Instruction Fuzzy Hash: 3211DFB6C006498FCB10CF9AC444BDEFBF5EB88328F14855AD829A7610D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 056EDF48 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0173cf5b6339c9e70f0de04e1ed484f3487d8a921552714f03c1a31260728c
Instruction ID: 3311ef3f4f582b2506f552336964a503154364f2786156db5b7606c4eb84b2d1
Opcode Fuzzy Hash: ed0173cf5b6339c9e70f0de04e1ed484f3487d8a921552714f03c1a31260728c
Instruction Fuzzy Hash: B2818B70E002198FCF14DFA9C9546EEBBB6FF89304F14852AE409AB750DB385946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 056EDC40 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33017afe89ef97aeda4e8fbb3b9f6f538392cc73f9340575ce916b35910f0d74
Instruction ID: 2f187191427af29f42d4e6096b3958f8c83bd394a05c0fc9e6dd478716366f35
Opcode Fuzzy Hash: 33017afe89ef97aeda4e8fbb3b9f6f538392cc73f9340575ce916b35910f0d74
Instruction Fuzzy Hash: 9551337070224A8FCF15ABA8C4155AF7BBBEFC5244B10806DE406DB791CF348C0AC7A9

Uniqueness

Uniqueness Score: -1.00%

Function 056E9CB8 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e10c32cd6ab0196997c50366a40308c2764c5cd6497627201fc6667156c142
Instruction ID: 282234079c3d4f668077201f682ab3c2d96a8f3ee116c2c48e0fc6e6ef5f37cb
Opcode Fuzzy Hash: 53e10c32cd6ab0196997c50366a40308c2764c5cd6497627201fc6667156c142
Instruction Fuzzy Hash: E3619D31A0170ADFCB00DF64D458AAEB7B6FF85304F10855AE516AB360EB70AD96CB80

Uniqueness

Uniqueness Score: -1.00%

Function 056ED2FC Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c192a1f23d52aa57e0c1aabcdc47b69e58967824886cc4947a9817f5d9a12c10
Instruction ID: 7a5cabff0f00401f25fc391b6ee07ade8f85d8b9d30a1805c873a169b6c02897
Opcode Fuzzy Hash: c192a1f23d52aa57e0c1aabcdc47b69e58967824886cc4947a9817f5d9a12c10
Instruction Fuzzy Hash: 765171B1E022499FCB10DFA9C908AEFBBF9EF88214F10841ED415E7750EB749905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 056EA558 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8dabbd0a641343c85c66671b49940f9d2207132be2910902cf33ff74ae41358
Instruction ID: 99d7603dde7c5fb94b998e0b6c06a9ddae49708fba3ebeead078ff7b799fb678
Opcode Fuzzy Hash: e8dabbd0a641343c85c66671b49940f9d2207132be2910902cf33ff74ae41358
Instruction Fuzzy Hash: 07418A75E022048FDF24EFF4C55C6ED76B2EB89354F144529D002AB344DB3A49C6CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 056EDAD4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9a8d45bf5c353b8da412b5bbd9916390000edd6ab19f33be71bc41c8e937c1
Instruction ID: 935c74900df3e2a86c36a47960f68683094ab0aa45b64a125d8577ff6c8c47dc
Opcode Fuzzy Hash: 1d9a8d45bf5c353b8da412b5bbd9916390000edd6ab19f33be71bc41c8e937c1
Instruction Fuzzy Hash: 7941E2B1D01619DBDB10DFA9C584ADEFBB5BF48304F248529D409BB310D775AA4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 056ED2F0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ca6241ae54c0c8b9056a326603b256d67fa0567308f8a6143edd280ecbaa48
Instruction ID: 565fc59edc0a776d5b9e340eb26c7cf689dff3b2cdd28c7fcac7faa152e28c82
Opcode Fuzzy Hash: c8ca6241ae54c0c8b9056a326603b256d67fa0567308f8a6143edd280ecbaa48
Instruction Fuzzy Hash: 3241AEB0D017589FDB14CFAAC884ADEFBB6BF48314F24852AE418AB254D7756885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 056EE298 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbb0646a004251fce08667513541618b8040e3bd432e1be910d751def5cba73
Instruction ID: 4655de18a41c350e9c00a73a10cc5108774b93719ff19b698a9f07cbfa67e190
Opcode Fuzzy Hash: 3dbb0646a004251fce08667513541618b8040e3bd432e1be910d751def5cba73
Instruction Fuzzy Hash: 36210F71A052448FCB01EF79C54449FBBE6EF81219709886ED40ADB751EF35ED09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 056E8F38 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5f4522ee28ee085d9fdd449627e01da6cbab3320347e21adc8d220b1ea0409
Instruction ID: 204b98596238ab3029e0e9100d804cdfbfaaeb083813aa92ba428c5274b97182
Opcode Fuzzy Hash: de5f4522ee28ee085d9fdd449627e01da6cbab3320347e21adc8d220b1ea0409
Instruction Fuzzy Hash: 2E21DF72616B049BE320DF28D846A1AB7F2FB84350F040E29E1A6CBB51D734E808CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D1D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272204205.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69029e0921788fb49a1bef001a8b3412d056bbd646563174c92c8498a820ebc4
Instruction ID: c38588b3b7282991b22506bd9e8adedce0e9f32bf460f4f38c41fa2c92b828dc
Opcode Fuzzy Hash: 69029e0921788fb49a1bef001a8b3412d056bbd646563174c92c8498a820ebc4
Instruction Fuzzy Hash: 1721F1B1504340EFDB25CF50D8C0BAABB75FB88315F248669EC050B646C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272204205.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771b902c4b23b120c1d9df3e90db531bd41120d4440848283f5a5915d9c63de8
Instruction ID: ab4b976d902dd7dd10f2ee3e2c520e6c314b39cc286dfdf9a7574eef323d8ae3
Opcode Fuzzy Hash: 771b902c4b23b120c1d9df3e90db531bd41120d4440848283f5a5915d9c63de8
Instruction Fuzzy Hash: B22125B1504240EFDB25CF14D9C0B6ABF75FB98329F248569ED094B216D336D84DCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272232675.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8944ed9cfa6db1985cfd149f13ab2ec68cf9e15e1a9b5a8214be534cb215bfe9
Instruction ID: 03620f8723420b09f91217fef7788ba9b758c782acb17814bc16870dcd1165f5
Opcode Fuzzy Hash: 8944ed9cfa6db1985cfd149f13ab2ec68cf9e15e1a9b5a8214be534cb215bfe9
Instruction Fuzzy Hash: 652129B5A04240EFDB01CF20D9D0B66BB75FB84358F24C96DE8094B741C336D84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272232675.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3371332a8a38e431a11e62c7ca5ccbd0a6e1dbfebe9ad9af32f2a152c71326
Instruction ID: 8d5a243fbba5d259703b19c8d97162776c4d0f8f0ddbd868d599445e0db8af99
Opcode Fuzzy Hash: 9b3371332a8a38e431a11e62c7ca5ccbd0a6e1dbfebe9ad9af32f2a152c71326
Instruction Fuzzy Hash: 5021F575A04240EFDB14CF10D9C4B26BB75FB84358F24C96DE80A4B746C33BD846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D1D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272204205.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c711e3533947179f7f7ae92d7e31a875699e0e2ba27df89c40f2356ba43de4
Instruction ID: 4c2ab1e0618e379c296ba50b82b10f0ab3af891e543655eb9aca34d7348ff3bb
Opcode Fuzzy Hash: e6c711e3533947179f7f7ae92d7e31a875699e0e2ba27df89c40f2356ba43de4
Instruction Fuzzy Hash: 3421B176504280DFDB16CF50D9C4B5ABF72FB84314F24C6A9DC484B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272204205.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc266a14d3ef7d67b01d83a3dd366f49f170e6375fe939ec088120573f0f532
Instruction ID: cda7e886cd39daff0708ea49a16c811c93a662bd44b075d84a93174ccba5863a
Opcode Fuzzy Hash: 5cc266a14d3ef7d67b01d83a3dd366f49f170e6375fe939ec088120573f0f532
Instruction Fuzzy Hash: 2611B176404280DFDB16CF14D5C4B56BF71FB94324F24C6A9DD054B616C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 056E9F10 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c66364523382034d75a2a30424dedaf4b43c1f019b746efa3a881eed0eaed2
Instruction ID: 2490d4eff66d89105756d910092e34f8ecf43d03b60b24c42c96969a9d985c56
Opcode Fuzzy Hash: 55c66364523382034d75a2a30424dedaf4b43c1f019b746efa3a881eed0eaed2
Instruction Fuzzy Hash: E8015E7030B2009FDB24ABB58544BAA77DAAF45744F0444AEA90EC6B80EF35D902C795

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272232675.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4af9a06ffb61d74dcaa5232f3e705a97e1126696a135aabd0f2606d4194c68c
Instruction ID: 509164bcda61045c2ad41405f2d6d9b4775dd851c043a1b6269233f9def68905
Opcode Fuzzy Hash: a4af9a06ffb61d74dcaa5232f3e705a97e1126696a135aabd0f2606d4194c68c
Instruction Fuzzy Hash: 56119075904280DFDB11CF14D5C4B15FB71FB84318F24C6ADD84A4B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272232675.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4af9a06ffb61d74dcaa5232f3e705a97e1126696a135aabd0f2606d4194c68c
Instruction ID: ca10c04f0c21ce4fe5c7d7dfbb0f3f5f6958644cf20135a241e3a690c1286611
Opcode Fuzzy Hash: a4af9a06ffb61d74dcaa5232f3e705a97e1126696a135aabd0f2606d4194c68c
Instruction Fuzzy Hash: AE119DB5A04280DFDB12CF20D5D4B55FBB1FB84324F28C6ADD8494B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 056EDF2C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719a098bafb9f360531ad14e74a7c2df685b66eb97decdff407cc1b835ea44e4
Instruction ID: bcfa572739589bce3e7bd09430053b7172c7e3616b31e3538b50dd6f96dd5cd5
Opcode Fuzzy Hash: 719a098bafb9f360531ad14e74a7c2df685b66eb97decdff407cc1b835ea44e4
Instruction Fuzzy Hash: D41123B1C016488FCB50CF9AC444BDEFBF8EB88224F14842AE859B3710D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 056EDB10 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4fcedd4336bd91e924ce5e09eb23d2d6f3d3612b6b18c85c96675048f71d73
Instruction ID: 22dfaca3ad3688b2b2d8887240d4fa96d8112c7039c0b87768fed40de41986e7
Opcode Fuzzy Hash: cc4fcedd4336bd91e924ce5e09eb23d2d6f3d3612b6b18c85c96675048f71d73
Instruction Fuzzy Hash: F61112B1C046488FCB50CF9AC444B9EFBF8EB48224F14842AE859A3710D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 056EF358 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37be5a947b967dbbaf624724619041f58cc52b8b3935661e14afd2f446d7f500
Instruction ID: fe4a5faeaec5a97153c38a63e6f161a8f12abe1c60f0964c4d2a3efb12663e6e
Opcode Fuzzy Hash: 37be5a947b967dbbaf624724619041f58cc52b8b3935661e14afd2f446d7f500
Instruction Fuzzy Hash: E51122B59016488FCB20DF99D488BDEFBF8EB48324F10845AE919A7700C374A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 056E8DB0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1d4daa2d758732f95d25b660d20a544889bd88acdc08c049098659393db49f
Instruction ID: 63ef2b67b6a481d34e42c8c8e5fd8df49a9476c61aec1da813f200599f1479d8
Opcode Fuzzy Hash: ef1d4daa2d758732f95d25b660d20a544889bd88acdc08c049098659393db49f
Instruction Fuzzy Hash: AD01B5303003105BE750AB68D416B9A72C6AB85708F10855DE48A8F7C7CFF66C8A87D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272204205.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee63dbf7305a9ff754d8363f8cc8609a571804f71da8db28b630a3c49fd67f8
Instruction ID: f9609a6d86c7471572a3b655bf71c95f7bce105cde4ac71d23387d65af948306
Opcode Fuzzy Hash: bee63dbf7305a9ff754d8363f8cc8609a571804f71da8db28b630a3c49fd67f8
Instruction Fuzzy Hash: 4E0147750043C09AE7308B25CC84BAABBA8FF49339F18845AED041A642D378984CC6B1

Uniqueness

Uniqueness Score: -1.00%

Function 056E8EA0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b049099bbbe3e50b733575c03e985f2857bcfe899de2fe666c4400d0f750b6fc
Instruction ID: 67610a86ab6739fc7da4706aad4c8f81a6ac998ed665408dbeb4a2ccc759e10a
Opcode Fuzzy Hash: b049099bbbe3e50b733575c03e985f2857bcfe899de2fe666c4400d0f750b6fc
Instruction Fuzzy Hash: FC010431602B449BD724DF38D485A67B7F6FB85395B040E2AE096CBB44DB70E809CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 056E8B98 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb39f9a6d3486d4bf385d7194c5c7230a198392b0255cf70594ecb4e8f25e9bd
Instruction ID: 29a85a16140c4689acbccc305f5f028b8b64e87606d59f7e7b30836eccdd10e9
Opcode Fuzzy Hash: eb39f9a6d3486d4bf385d7194c5c7230a198392b0255cf70594ecb4e8f25e9bd
Instruction Fuzzy Hash: 5F116130202B9096D760AB78C414BCB77D6BF41308F004D1EE0DA1F796C7F6384887A1

Uniqueness

Uniqueness Score: -1.00%

Function 056EED80 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d788a6b183309d7cc7fda6401637dd827b3dc75a4027dfba632c16edf18a74
Instruction ID: ee660934f7ee3b01049c326e071f11d23b0a9c2f3c2391a813c257d8050b9f85
Opcode Fuzzy Hash: 01d788a6b183309d7cc7fda6401637dd827b3dc75a4027dfba632c16edf18a74
Instruction Fuzzy Hash: 59F09071B021145F8F16A7A898558FEBABEEBC8A50B10002DE605A7380DA710E02C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272204205.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9cb276fdecf832eed67a5cae5708fc598151a2aa87e87e9591fc3fb40d58a5
Instruction ID: efba53e4139565da2ac127e91d39ceff8fd00f8707be79d0af360b95e5ef8dd1
Opcode Fuzzy Hash: 2f9cb276fdecf832eed67a5cae5708fc598151a2aa87e87e9591fc3fb40d58a5
Instruction Fuzzy Hash: 62F062714047849FEB208F15CC88B66FBA8EB55774F18C45AED085B686D3799C48CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 056E84B8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5768bec58f357302b18a2c854647e5cf1b4b16f7c9921d88e39b18c22187c396
Instruction ID: 63e905526f107306f6b13139dca5b711b5684f31e1dae767fc010bd60e440522
Opcode Fuzzy Hash: 5768bec58f357302b18a2c854647e5cf1b4b16f7c9921d88e39b18c22187c396
Instruction Fuzzy Hash: 38F0A03030062017EB1477688416F6A32CFAFC4B24F10816EB1968FBC6CEF69C424BE1

Uniqueness

Uniqueness Score: -1.00%

Function 056EDC30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6913536b6b15b7934bb605264e26eb4bd56a7ebc7bec6654aa3a838dc08f874
Instruction ID: 93ab21789b4d3cc076c8f49dabfd6ccf856fa12ae74d500e65ab8ed7b207eaa4
Opcode Fuzzy Hash: e6913536b6b15b7934bb605264e26eb4bd56a7ebc7bec6654aa3a838dc08f874
Instruction Fuzzy Hash: 3EF0E5367001642B8F04EAB9D5555AFB39BEBC6258B00893AD81DCB740DF74AD4587E1

Uniqueness

Uniqueness Score: -1.00%

Function 056E85C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d10448df40cfddb6d6a952c303100f56ea76e0943d76f4986549a9a3929210d
Instruction ID: d66b15c11af7216c26b1bbd66e13dd559edf720c100de29e8d2cb2a9823c4817
Opcode Fuzzy Hash: 3d10448df40cfddb6d6a952c303100f56ea76e0943d76f4986549a9a3929210d
Instruction Fuzzy Hash: 20F082353046108FCB14EF5AD45495AB3EABFCA611715449AE401C7775CA60EC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 056E8830 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a17d40e5c85f309305a2511431f00ffda805dc28795ae0958e78abff07a1b08
Instruction ID: 982277d6b65c881d87ec4eb06c5a9fa8ff1e3919f1a0cc5043dedcfa92dfe74d
Opcode Fuzzy Hash: 1a17d40e5c85f309305a2511431f00ffda805dc28795ae0958e78abff07a1b08
Instruction Fuzzy Hash: A2F0FF31E126028BD35CDF6CE442A16BBE5FB05310B550AA6E068CF782D721E8C1CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 056D4DCC Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44029294e01d0948f01e61b136231289f49efcadf1513f65722cf95b3c1f272b
Instruction ID: 000c05b8c8a5449350d9c00cf8f35d6d8e3dbef786be8cc8684b3d566db41067
Opcode Fuzzy Hash: 44029294e01d0948f01e61b136231289f49efcadf1513f65722cf95b3c1f272b
Instruction Fuzzy Hash: 2E019374A401188FD758DF28C8989A9B7F1FF4A311F5094E5A60AA7261DB309E82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 056D1DBD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a2a8ec1e42b9958c4603e9be75e36ac3cdb5a36a3b6f4df5c352b47208c7a2
Instruction ID: 7c1057371e52b654e821b7e46004885cf1698ad17a9a77e16c21124a8c4dedc5
Opcode Fuzzy Hash: c5a2a8ec1e42b9958c4603e9be75e36ac3cdb5a36a3b6f4df5c352b47208c7a2
Instruction Fuzzy Hash: CE019034A401198FCB68DF24D998AACB7B1FF48311F1084E9DA0AA7765DB306EC2DF50

Uniqueness

Uniqueness Score: -1.00%

Function 056E8560 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf1c315668cacd86833bb6212e7a644547eccc1c61698b670a4c389fbcaf94d
Instruction ID: c037749063bf9d764300b496a2f7e31bf8b98997eede90b74b6c66307906c936
Opcode Fuzzy Hash: fdf1c315668cacd86833bb6212e7a644547eccc1c61698b670a4c389fbcaf94d
Instruction Fuzzy Hash: C2F01C706117049B8B58DF28D45599977E5FB4A2183348AAEE029CF756EB72E803CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 056E8940 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1671971d8b63fa1aac952a914d762d6d80627b68ce8c2fa50deb589b4ae719f7
Instruction ID: e6da4d9974a17a7810e39022c26b8f18c9cdc3baaadafbdf4d2d1c06e9ccabdc
Opcode Fuzzy Hash: 1671971d8b63fa1aac952a914d762d6d80627b68ce8c2fa50deb589b4ae719f7
Instruction Fuzzy Hash: 98F065307406548BEB05B778D455B9A36D6AFC5718F0444ADE04A8B396CEF66C4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 056D32FD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc28bce3bbad846f0551195c681192193ca092d4af0060e69e6b4e5d30f7021d
Instruction ID: 97b133d97f96739fb8075393c1e4d99d68e4fcbc83aeca73e20248efda2e9724
Opcode Fuzzy Hash: dc28bce3bbad846f0551195c681192193ca092d4af0060e69e6b4e5d30f7021d
Instruction Fuzzy Hash: A601AF38E406188FCB69CF64C988AA9B7B5FF49305F1455E9E90DAB320D730AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 056D2474 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69f0734d3a2fcd9673e95ff50d241d8d1b773a6f8aa7416531c729db36ada4c
Instruction ID: 67f0b617983115bb15f95320b8f68f3509589b58cce31a2d64ceb98079b77b13
Opcode Fuzzy Hash: b69f0734d3a2fcd9673e95ff50d241d8d1b773a6f8aa7416531c729db36ada4c
Instruction Fuzzy Hash: 25F03734E10619CFC704DBA0DC48999B7B1BF89341F104696E00AAB2A1EB706AC5CA50

Uniqueness

Uniqueness Score: -1.00%

Function 056D3AB3 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212914ba05afc68c16428657a1a653f2933ba90c9865c083eb9730c1a24d953f
Instruction ID: 84be2a69e09e19923029824b4186e25ef6cb0c202737b5f54f47c8e647d77755
Opcode Fuzzy Hash: 212914ba05afc68c16428657a1a653f2933ba90c9865c083eb9730c1a24d953f
Instruction Fuzzy Hash: 9AF0F930D106598FC718DF64CD486AEB7B1FF45341F105696D046B72A0EB70AAC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 056EDD14 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43bc8b73c0e2f6d6c53738f5e8e6908ede5c9ada33e4ac362537bb4d6860e3d
Instruction ID: 3a91076de0cdb445ab3321434116f3d0d86908f561cea33dc399fdc74b8b67a2
Opcode Fuzzy Hash: b43bc8b73c0e2f6d6c53738f5e8e6908ede5c9ada33e4ac362537bb4d6860e3d
Instruction Fuzzy Hash: C7E0D8311021997BCB419F59D8009DF3F9DAF59215B008841F91486112C376D922D7F4

Uniqueness

Uniqueness Score: -1.00%

Function 056E87B0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a862952dd4132bf581e65a4d2bd9ae0c85fcff889d9eab42084c806b3f17540
Instruction ID: 244e91f252f5fb23254624bc989ac75b73892a2ee14572c9362eb0614c592dc2
Opcode Fuzzy Hash: 1a862952dd4132bf581e65a4d2bd9ae0c85fcff889d9eab42084c806b3f17540
Instruction Fuzzy Hash: A7E0172035422423FA0832A85862F6E12CB9FC4B19F1080AEF9069F7CBCCE69C010BE1

Uniqueness

Uniqueness Score: -1.00%

Function 056D3A9A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f066f3df61139eb4a06bad80417d3b78e1324af82e006675526c38c553060d
Instruction ID: 1dd510db75d0e193ad79498d14aee14b08d335a7ecae5037f17171f03c1dfc14
Opcode Fuzzy Hash: 49f066f3df61139eb4a06bad80417d3b78e1324af82e006675526c38c553060d
Instruction Fuzzy Hash: F4E02272E102428FC340CE64CA559EAFBB1FBA6270F082E96800697110FB315E83CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 056D45C1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20737d46d0ce158e9e13daa2d11940ab39c46f05887ec00723fe0c44f1c7a2d
Instruction ID: e5111c044adbf917ecdc69ecd480e9643a604e027526d06e1fd3a69da42f43ec
Opcode Fuzzy Hash: c20737d46d0ce158e9e13daa2d11940ab39c46f05887ec00723fe0c44f1c7a2d
Instruction Fuzzy Hash: E3F0A030808609DACB14EB64C9454DDBB71FF45310F0056ABD45626580F7305A90DA60

Uniqueness

Uniqueness Score: -1.00%

Function 056EE240 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854011e5ad5d40783f32b15ee6e1f8c78323231096b98c21e6538754fa29274a
Instruction ID: 4faef538b784d1a8fc52f8d65602f120bf93694231083c6c6cafb724ad56bceb
Opcode Fuzzy Hash: 854011e5ad5d40783f32b15ee6e1f8c78323231096b98c21e6538754fa29274a
Instruction Fuzzy Hash: 4CE04F34611208EF8B00EFB4E94685CB7B9EB45314B10509AD80497318DF325E009B91

Uniqueness

Uniqueness Score: -1.00%

Function 056E9B78 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6499bb718f1ecf5e0dd422f390d869d467d9a387037d4b745187ea5956bc0ee1
Instruction ID: 50dedd8833c7dc81331d2992eb689b8d43c664393972fc88eb66997e17996592
Opcode Fuzzy Hash: 6499bb718f1ecf5e0dd422f390d869d467d9a387037d4b745187ea5956bc0ee1
Instruction Fuzzy Hash: C5E01270E16208AFC750EFF8D8582DDBBF4EB48304F5041A9C909E7750EB711A46C791

Uniqueness

Uniqueness Score: -1.00%

Function 056E8470 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e308e760e04fd3dee77a469f31af6328ee502b016baa55bfa223358c467fc6aa
Instruction ID: 491aed2af61e87dff01e8e3055891e148939127e65e5be8244d3e38b40de258f
Opcode Fuzzy Hash: e308e760e04fd3dee77a469f31af6328ee502b016baa55bfa223358c467fc6aa
Instruction Fuzzy Hash: 9EE0EC70905208ABDB80EFF898586DDBBF4EB44308F5042A9D809D3750EB306A45C792

Uniqueness

Uniqueness Score: -1.00%

Function 056E8728 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c99fc951e58726c0b27cd7380f4ce381d49ee00a4574e03b72a97017429070c
Instruction ID: 0135e4aa3ac6e241cd7f46718d422b5597dd0e9eb43785e45477198ba7dc4625
Opcode Fuzzy Hash: 1c99fc951e58726c0b27cd7380f4ce381d49ee00a4574e03b72a97017429070c
Instruction Fuzzy Hash: C7E0EC709062089FCB90FFF899592DDBBB4AB44304F6041A9C809E3750EB301A86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 056E88F8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94b2a765efe7fadd70073f3f49e51c204f114577f7552e5100805e6c5ea90d2
Instruction ID: 444866b3e17188545f04810c2a183e09672342c5e89cef7689b6d08b65ec3722
Opcode Fuzzy Hash: c94b2a765efe7fadd70073f3f49e51c204f114577f7552e5100805e6c5ea90d2
Instruction Fuzzy Hash: 64E0EC70D052089FCB80EFFC99596EDBBF5BB48304F5041A9C80997750EB301A46C792

Uniqueness

Uniqueness Score: -1.00%

Function 056EAF60 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a91225162db549cf906bcb1694f18d8ac629b76528d5ea65882097f1108e3a
Instruction ID: 2de275a21b3b1aa1155cd1949a9bc4c9a3329eb47aa7d55ad2dac4aed49dfb1d
Opcode Fuzzy Hash: 99a91225162db549cf906bcb1694f18d8ac629b76528d5ea65882097f1108e3a
Instruction Fuzzy Hash: 25D0A93330021CAB4F4666E4A518CDEBBDBAB89610700802BE2068B320DE29ED54E7E4

Uniqueness

Uniqueness Score: -1.00%

Function 056D063A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab15448ebf812c887d3a7ea731da376f47f02b991e8e51bc53ff37c4e1aa4402
Instruction ID: f1020a2765362bf59a02f6440c261e7a65876a4319391767bb54f8dfd19dbd21
Opcode Fuzzy Hash: ab15448ebf812c887d3a7ea731da376f47f02b991e8e51bc53ff37c4e1aa4402
Instruction Fuzzy Hash: D8E07574D05616CFCB68CF64CA58AAEF7B1BF4C301F1405E5D509A7615D734AE819F40

Uniqueness

Uniqueness Score: -1.00%

Function 056D02D7 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67f20976e7b0e0871522c33485bc6d9e10a0104e1308039a9d82b9313e8058c
Instruction ID: 48e52d6e8f316b90c1fd14fdaacc0487d7a3777b37d48ab07e2b9995121c4785
Opcode Fuzzy Hash: a67f20976e7b0e0871522c33485bc6d9e10a0104e1308039a9d82b9313e8058c
Instruction Fuzzy Hash: D3E0BF74A001198FC718DF55C6985ADBBF5FF49300F1055A59509A7265E7309D41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 056D14C3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7daa8d7167d8da4b814836b60be6f0416a19cb38997ac7b7dc56d586ce3ad95
Instruction ID: b3df7965b6ce01163010375a5e9d7ec89e7b0c3b56b74bbe188519946f1ed5fd
Opcode Fuzzy Hash: e7daa8d7167d8da4b814836b60be6f0416a19cb38997ac7b7dc56d586ce3ad95
Instruction Fuzzy Hash: 48E0B638A141558FC718CF65D9889ADB7F2FF89350F1499A9951AAB220DB709E81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 056D3373 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284937728.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa39f7fccee3c2b9294184ed10dd199f9a06b3bd434d3a69fb55de05617c828
Instruction ID: a10906746c9c05554a605729c393be89b947eae68a8cf9c9c570c1ee5f1053e9
Opcode Fuzzy Hash: 8aa39f7fccee3c2b9294184ed10dd199f9a06b3bd434d3a69fb55de05617c828
Instruction Fuzzy Hash: 90D01230D05206CFCB04CF50C9041ADF7F1FB95320F1069569115A6180E77546818AD9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BCF3C0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9302d850bca6c1ee472d9c50f37b1108ea05489bdc1488135dd7535f7b9539
Instruction ID: da4d59e1c095ef5b6d8c13ab6535d80c3e10728454f75b8724d79d02c3d60325
Opcode Fuzzy Hash: 3c9302d850bca6c1ee472d9c50f37b1108ea05489bdc1488135dd7535f7b9539
Instruction Fuzzy Hash: 4812D3B1413F668BE310CF65EC983AD3BA1B745329B90430BD2691EAF4D7B8014AEF54

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCB54 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d32c33988476ada0362789829da53345387b3dd7626d46773e5c938c4d82212
Instruction ID: 422aa5295b4447ea79531820342fe2edc4fe08dfcfb9dc31cab82bc8f88a5095
Opcode Fuzzy Hash: 8d32c33988476ada0362789829da53345387b3dd7626d46773e5c938c4d82212
Instruction Fuzzy Hash: E9A15136E00219CFCF15DFA5C844A9EBBF2FF85300B1585AAE915AB221DB31ED55CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00BCF3B0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272352426.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbcabed904ac4b57391b9be9e43474c7e445507084c85b244a9653e72ccf2bc
Instruction ID: 6fcdfb114a9e230371160caed47211306dc9072f4429fac87de959ec7e8a7952
Opcode Fuzzy Hash: 0cbcabed904ac4b57391b9be9e43474c7e445507084c85b244a9653e72ccf2bc
Instruction Fuzzy Hash: CEC127B1812B668BD710CF64EC983AD3BA1BB85328F51430BD1692F6F0D7B4108AEF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 3736, Parent PID: 1100COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.9%
Total number of Nodes:	129
Total number of Limit Nodes:	10

Executed Functions

Function 063275F0 Relevance: 2.3, APIs: 1, Instructions: 760
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06327D78

Memory Dump Source

Source File: 00000006.00000002.508794719.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6320000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9a5f85cc40e1ca2def37d3547887bf6e5e70104a1f8f53cb65c8d5d337ba82f
Instruction ID: 78b57e6ab9b3e9f5324efe336b7b6d7cf5f426863a64154fd4fac31c22665707
Opcode Fuzzy Hash: d9a5f85cc40e1ca2def37d3547887bf6e5e70104a1f8f53cb65c8d5d337ba82f
Instruction Fuzzy Hash: E8623C31E007198FDB64EF78C95569DB7B2AF89300F1085A9D54AAB350EF34AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0632DC88 Relevance: 1.7, APIs: 1, Instructions: 225
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0632DDA7

Memory Dump Source

Source File: 00000006.00000002.508794719.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6320000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c64b82a58088aff6359e69ee6720a98fa66e43ca52cefc0ef812c1913ddec44
Instruction ID: 3049daa9bb9c30f49935ed908a333f11187b5badd5d250ea114f43334aafd3e9
Opcode Fuzzy Hash: 3c64b82a58088aff6359e69ee6720a98fa66e43ca52cefc0ef812c1913ddec44
Instruction Fuzzy Hash: BB71E531F002169FCB54EBB4D884AEEB7A6EF85304F14893AD416DB285DF70D8058BE1

Uniqueness

Uniqueness Score: -1.00%

Function 063F8230 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.508863788.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9fd8c2783036f55ea44d1d63ebf49ef761aef15718600a0962f2141e23ef540
Instruction ID: 94223befa0640ffaa786de16972ed74456362ce6f7925b80b0269ec6bb975ba8
Opcode Fuzzy Hash: a9fd8c2783036f55ea44d1d63ebf49ef761aef15718600a0962f2141e23ef540
Instruction Fuzzy Hash: 94410272D107458FCB04CFB9C8042EEBBF1EF89210F15896AD549E7651EB38A885CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0632D179 Relevance: 1.6, APIs: 1, Instructions: 114
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0632D291

Memory Dump Source

Source File: 00000006.00000002.508794719.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6320000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8261150c3c8c604cb258c994ea51d9faf85fd4e822131d211c7cb64aa94c9b9d
Instruction ID: 92a54cbae3dd8f75a4c5426ee5179dffe14d25518a169eb71e4593e597c62ea1
Opcode Fuzzy Hash: 8261150c3c8c604cb258c994ea51d9faf85fd4e822131d211c7cb64aa94c9b9d
Instruction Fuzzy Hash: 184123B1E00359CFDB10CFA9C984A9EBBF5BF48310F15816AE819AB754D7749846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0632CEC3 Relevance: 1.6, APIs: 1, Instructions: 108
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0632CFD4

Memory Dump Source

Source File: 00000006.00000002.508794719.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6320000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a297e91d318a464dfe11c66ea2f29989d3628a63a3b8a787dc7c61a79123ef99
Instruction ID: e18b0147e2bd04229f778b2a13916c236a6829542f5f8f1a55430e5ed3f94e4d
Opcode Fuzzy Hash: a297e91d318a464dfe11c66ea2f29989d3628a63a3b8a787dc7c61a79123ef99
Instruction Fuzzy Hash: 084147B1E003899FDB50CF98C548B9EFBF5AF49314F28C16AE408AB751C7759849CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029AC8E4 Relevance: 1.6, APIs: 1, Instructions: 90
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 029AC9BA

Memory Dump Source

Source File: 00000006.00000002.500992614.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29a0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f292bd4fae98f7e68f473176cd8e770c6cc2f42ffded7d6209d40b0aed36e716
Instruction ID: c0ff86095246cca82f54af2759d0b962b157c3063ba8ab7f6ea079603936870a
Opcode Fuzzy Hash: f292bd4fae98f7e68f473176cd8e770c6cc2f42ffded7d6209d40b0aed36e716
Instruction Fuzzy Hash: 993114B1D003499FDB14CFA8C8957AEBBB1BB48314F14852AE856AB380D7789486CF95

Uniqueness

Uniqueness Score: -1.00%

Function 029A9C5C Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 029AC9BA

Memory Dump Source

Source File: 00000006.00000002.500992614.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29a0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9f25b2b5e55ea7ad41631a4dfe3484b87a440547512ee18e303e6257d5a544d3
Instruction ID: d6bff3ed8b0891df82dcae5d29e20999ba20d22331027add89dcaac881c5ce7b
Opcode Fuzzy Hash: 9f25b2b5e55ea7ad41631a4dfe3484b87a440547512ee18e303e6257d5a544d3
Instruction Fuzzy Hash: AC3105B0D00349DFDB14CFA9C8957AEBBB5BB48314F14852AE816BB380D7749885CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0632C804 Relevance: 1.6, APIs: 1, Instructions: 88
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0632D291

Memory Dump Source

Source File: 00000006.00000002.508794719.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6320000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ad48719b7888186dca55a35f646b84820e84d5be622b9faf43f84e2728c09f78
Instruction ID: 9e87f0baa6012663403ad133b2ff33eab44b0497b1852350d7dbea84e00dfe0e
Opcode Fuzzy Hash: ad48719b7888186dca55a35f646b84820e84d5be622b9faf43f84e2728c09f78
Instruction Fuzzy Hash: 1531CFB1D00269DFCB50CF9AC984ADEBBF5BF48314F14802AE819AB314D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06326174 Relevance: 1.6, APIs: 1, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0632CFD4

Memory Dump Source

Source File: 00000006.00000002.508794719.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6320000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 888297f2f93fcad8404a9ebcdcb3867bfaecfac448e30ca1bfe30c039d3c76db
Instruction ID: 9ce77b473d96c4c119f0baa092520ed340bad04847397947293bdbd88c83741e
Opcode Fuzzy Hash: 888297f2f93fcad8404a9ebcdcb3867bfaecfac448e30ca1bfe30c039d3c76db
Instruction Fuzzy Hash: 303101B1D012899FDB50CF99C584ACEFBF5BF48314F28816AE408AB310C7759889CB94

Uniqueness

Uniqueness Score: -1.00%

Function 063FC3E4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,063FCA06,?,?,?,?,?), ref: 063FCAC7

Memory Dump Source

Source File: 00000006.00000002.508863788.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63f0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2d93c892473fe15ea4c51308b349bc0affc84d22ccb38a16c6a7a5a13a52edac
Instruction ID: 00abb66f4e535014971b4ab469d6ccb79c96d757bcb3d575abd8c1b8e4ea4764
Opcode Fuzzy Hash: 2d93c892473fe15ea4c51308b349bc0affc84d22ccb38a16c6a7a5a13a52edac
Instruction Fuzzy Hash: 5B21E5B5D00248DFDF50CF9AD884AEEBBF4EB48324F14841AE914A3710D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 063FCA3A Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,063FCA06,?,?,?,?,?), ref: 063FCAC7

Memory Dump Source

Source File: 00000006.00000002.508863788.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63f0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fadaf3b8d97186952720d0b90bb04dc46d668a80779edf52c48137cbcbf9f6fa
Instruction ID: 57167cf893065f9bf1bdf6ba3ea942526f14e962eddd9b3f0160df4f1f668f93
Opcode Fuzzy Hash: fadaf3b8d97186952720d0b90bb04dc46d668a80779edf52c48137cbcbf9f6fa
Instruction Fuzzy Hash: 1C21E3B5D00248AFDB10CFAAD884ADEBBF4EB48324F14841AE914A3710D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 029A4CB8 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 029A4D42

Memory Dump Source

Source File: 00000006.00000002.500992614.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29a0000_RegSvcs.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 8f52f1faf7ec7739692124437d3709dc4ae0b9e6a15bbffe9e86948a3457a6a6
Instruction ID: 83664c124922d0c29d713cb00f27967ff2e2664f3ccf283f084d38526fd96e22
Opcode Fuzzy Hash: 8f52f1faf7ec7739692124437d3709dc4ae0b9e6a15bbffe9e86948a3457a6a6
Instruction Fuzzy Hash: 7E21C7B18013858FCB10DFA9CA5839EBFF4EB09328F14846AD449E7A40CB786845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 063F8300 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,063F8282), ref: 063F836F

Memory Dump Source

Source File: 00000006.00000002.508863788.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63f0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 18cb57295495867e4529ee0417fd0f9439f54fb4339c64e3cdee1f209ffcff01
Instruction ID: 5f9dc37a24936572ba5c95ff7934e0b325ac2ae72579c34eac6c4eef52d58b22
Opcode Fuzzy Hash: 18cb57295495867e4529ee0417fd0f9439f54fb4339c64e3cdee1f209ffcff01
Instruction Fuzzy Hash: 3A1133B6C006598FCB00CFA9C9457EEFBB4AF48324F15852AD418B7640D338A945CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 063F6C20 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,063F8282), ref: 063F836F

Memory Dump Source

Source File: 00000006.00000002.508863788.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63f0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6498494de44f32d6e19a090aa2a376c14a9534564d7dcb8af9adbf7c7460e754
Instruction ID: 0c2a37a49108fd9d47f8f4176e1e39736ef8e03553f8e420e2f026626f5542b2
Opcode Fuzzy Hash: 6498494de44f32d6e19a090aa2a376c14a9534564d7dcb8af9adbf7c7460e754
Instruction Fuzzy Hash: D11103B6C006599BCB10CF9AC8447EEFBB4AB48324F14812AD918B7650D778A945CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 029A4CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 029A4D42

Memory Dump Source

Source File: 00000006.00000002.500992614.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29a0000_RegSvcs.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 2c592bca6813a47d383255c7bb89ffe4855d5c424a2a5ed80a1d965d45722447
Instruction ID: ac34c776170c3146891099185819167c08c840d3a627b4e08739f447fc93cf6f
Opcode Fuzzy Hash: 2c592bca6813a47d383255c7bb89ffe4855d5c424a2a5ed80a1d965d45722447
Instruction Fuzzy Hash: E711A9B09003498FDB50DFA9CA5979EBBF8EB44328F108429D808B3A00DB786845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027BD974 Relevance: 1.1, Instructions: 1102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.500510127.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27bd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dac8a3e0da7b91ecc5a4f6a7169088b68aa7a2945e78ab86a2e62754402bd1
Instruction ID: d7d349566a12da763e0517f1482679d14c0ae3b52d719c475ec442559fc1c6e2
Opcode Fuzzy Hash: 13dac8a3e0da7b91ecc5a4f6a7169088b68aa7a2945e78ab86a2e62754402bd1
Instruction Fuzzy Hash: F542D3B284D3C19FD7434BB489613817FB1AF97224F5B44EBC4C0CA1A3E26D495ADB22

Uniqueness

Uniqueness Score: -1.00%

Function 027BD9B5 Relevance: 1.0, Instructions: 1016COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.500510127.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27bd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded596a8a75247b5c773e6dfbbc5d20425147654408e568bf3cdb8d0a5cde336
Instruction ID: 4ef069085780dbdecfe45be1e368efe217c1a4c129b79b6a60fde3ef9217dd66
Opcode Fuzzy Hash: ded596a8a75247b5c773e6dfbbc5d20425147654408e568bf3cdb8d0a5cde336
Instruction Fuzzy Hash: E432D3B284D3C19FD7434BB489613817FB1AF97224F5B44EBC4C0CA1A3E26D495ADB22

Uniqueness

Uniqueness Score: -1.00%

Function 027BDCC1 Relevance: .8, Instructions: 752COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.500510127.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27bd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d6132c8a68290efba284f84c8e6272352d3377d122bdd056c0ac1bc3b63e69
Instruction ID: d08cd11f393e6b388bd327e27e7258a0a1f696af121e0295489fb7aa11ca8b44
Opcode Fuzzy Hash: 28d6132c8a68290efba284f84c8e6272352d3377d122bdd056c0ac1bc3b63e69
Instruction Fuzzy Hash: 0702E5B284D3C19FD7434BB4C9617817FB1AF97224F1A44EBC4C1CA1A3E26D495ADB22

Uniqueness

Uniqueness Score: -1.00%

Function 054BF778 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.507939516.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110a1c61a18eada2ed0b6fa713ef56b7377832de65b9c934078a1669e60e2233
Instruction ID: c9915f34459a8c7087ba72d6f773f9e651f84872756637cb9ebb320897f9c569
Opcode Fuzzy Hash: 110a1c61a18eada2ed0b6fa713ef56b7377832de65b9c934078a1669e60e2233
Instruction Fuzzy Hash: 5722D235F00244AFEB14EB74C8546EEB7B3AF85314F14856AD40A9B395EB74DC4ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054BE0D2 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.507939516.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ebae810f57d1f3fc34de262c616e353d524816a9f3656391c30f849c416cb8
Instruction ID: 06531935e0a526c4fb06c6938ef3c25f67bb420fb5486563d424caf625edc322
Opcode Fuzzy Hash: 43ebae810f57d1f3fc34de262c616e353d524816a9f3656391c30f849c416cb8
Instruction Fuzzy Hash: B7223E34A0411C8FEB24EBA0C850BEEBB72EF85304F5080A9D10A6B765DF355E59EF65

Uniqueness

Uniqueness Score: -1.00%

Function 054BECBB Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.507939516.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068b12eb9a0b931151dcdb321612431cb61e525a2671a0b64f82ccb586edcaf0
Instruction ID: 6e5744042013c58d927bb284912667da5926d3609102b446db00eb99ac882370
Opcode Fuzzy Hash: 068b12eb9a0b931151dcdb321612431cb61e525a2671a0b64f82ccb586edcaf0
Instruction Fuzzy Hash: 1FC1F975A001199FDB14CF68C9849EDBBF6BF89310F16809AE419AB361CB71EC85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 054BE9A8 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.507939516.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d236a941968416dd8a13d42ee8f76373951f6481783b304a1a7b34b30e3769f8
Instruction ID: 324619cfc99238bcea1c1530dd1e9a268b734819955bce5860f1f3dd04b773e7
Opcode Fuzzy Hash: d236a941968416dd8a13d42ee8f76373951f6481783b304a1a7b34b30e3769f8
Instruction Fuzzy Hash: 2271E2717042048FEB299B64D894AEEBBBBBBC9750B1444AAE006CB391DF74DC528761

Uniqueness

Uniqueness Score: -1.00%

Function 054BF612 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.507939516.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5efa34cf877a06cab7c43083f5fbfb033c70aa167c460f839cc13dd09690bf3e
Instruction ID: ae656ff6327ee0899bff57ffba7d777ae2b2425cefe44a92c180d9b5e55989b9
Opcode Fuzzy Hash: 5efa34cf877a06cab7c43083f5fbfb033c70aa167c460f839cc13dd09690bf3e
Instruction Fuzzy Hash: BB41E4313041049FDB159F28DC54AFE7BA2EF89311B05446AF90ACB3A1CA74DD1BDB61

Uniqueness

Uniqueness Score: -1.00%

Function 054BF510 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.507939516.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b11b05ac40c1baabcf5e8624750daacc58cb462bb5e68565cf8db4d1e0df08
Instruction ID: 5664fdc39a7d3d2ecd7a427bedefd8d89b0f39f0ef0ba765be9d31e37b826f21
Opcode Fuzzy Hash: 88b11b05ac40c1baabcf5e8624750daacc58cb462bb5e68565cf8db4d1e0df08
Instruction Fuzzy Hash: D431E571A04215AFDB00CFA9DC849EFBBB5FF89310B0044ABE509D7352D670DA46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054BF078 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.507939516.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46692e60ea76f42f584c0539bf9ec29e45ae0fb2d723b53d609f8f5793e82acf
Instruction ID: 58163fa72bf21482ee56314b172d51d398c7cc4ea58741f1991736fe8052ac86
Opcode Fuzzy Hash: 46692e60ea76f42f584c0539bf9ec29e45ae0fb2d723b53d609f8f5793e82acf
Instruction Fuzzy Hash: D32141367045119FD714DA6CD894AAAB7E6FFC871071940BAE80ACB375DEB1DC068BA0

Uniqueness

Uniqueness Score: -1.00%

Function 054BF072 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.507939516.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdee9351394c0b2087c279424c84f2d54c3054a2434c33e9828e1011e678a39
Instruction ID: ea83eda7b983569c53b7ffd65a31dde96bfab70b63f25494f729f6b4a1156e71
Opcode Fuzzy Hash: 2bdee9351394c0b2087c279424c84f2d54c3054a2434c33e9828e1011e678a39
Instruction Fuzzy Hash: 982160367045109FD714DE6CD894AAAB3E6FF8871071940AAE80ACB371DEB1DC068B50

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.500353124.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dbd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d5c6f91d2c9e90cda67590136bc8af173062f49d41e728f4a3f2e1f06d3af2
Instruction ID: d38094f3badaa1f6a42cf1b5a107d92d0908e0bd150c43b5a9869f7216088027
Opcode Fuzzy Hash: f2d5c6f91d2c9e90cda67590136bc8af173062f49d41e728f4a3f2e1f06d3af2
Instruction Fuzzy Hash: 27213A71504240DFDB15CF10D9C0B9ABFA6FB89328F24856DE8060B356D336D849CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.500353124.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dbd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c2d16928674a17eea20694a8f3d7ffc5a91e9c045f0108d90a6838faf03b2d
Instruction ID: 4d598b59bd38e86833cbf93477bc1942ea5a41c2939908a67bac4e84977bd3a0
Opcode Fuzzy Hash: 92c2d16928674a17eea20694a8f3d7ffc5a91e9c045f0108d90a6838faf03b2d
Instruction Fuzzy Hash: C42128B1500244EFDB05DF10D9C0BA6BF66FB94324F24C569E84A0B606D33AE84AC7B1

Uniqueness

Uniqueness Score: -1.00%

Function 027BE3F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.500510127.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27bd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83e02f6d2edd95d16e4680e1e9b50fdf026edb4b42f89830daeed18773cda84
Instruction ID: b8d49322e768dd3faaa8cdf185d84e08eeee6adb3f3ca71eb8a13deecb16b67a
Opcode Fuzzy Hash: b83e02f6d2edd95d16e4680e1e9b50fdf026edb4b42f89830daeed18773cda84
Instruction Fuzzy Hash: C4212575604240EFDB02CF20D9C0BA6BB61FF88318F64C96DE8495B346C33AD846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.500353124.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dbd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc266a14d3ef7d67b01d83a3dd366f49f170e6375fe939ec088120573f0f532
Instruction ID: f22b85f008538a8dee6d1182eae56102b38057b40331cb36b7a9a4d693dc0197
Opcode Fuzzy Hash: 5cc266a14d3ef7d67b01d83a3dd366f49f170e6375fe939ec088120573f0f532
Instruction Fuzzy Hash: C611E976404280DFCF11CF10D5C4B56BFB2FB95324F28C6A9D8454B656C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.500353124.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dbd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc266a14d3ef7d67b01d83a3dd366f49f170e6375fe939ec088120573f0f532
Instruction ID: fbd0f9772b8c234ae98f5271a073282819ba16dfe841d87cc3530a6ea0e7ed53
Opcode Fuzzy Hash: 5cc266a14d3ef7d67b01d83a3dd366f49f170e6375fe939ec088120573f0f532
Instruction Fuzzy Hash: A711E676404280DFCF06CF10D5C4B56BF72FB94324F28C6A9D8494B616C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 054BEB75 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.507939516.00000000054B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54b0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b2c7dc3b5fd8a4a24048f605540aad20b08810f002aa03774a815d0441599b
Instruction ID: 55e64acb7feedeaddbd04c3cd21107c6ed7cd4cb8808e26e0f432a348050e9f3
Opcode Fuzzy Hash: 62b2c7dc3b5fd8a4a24048f605540aad20b08810f002aa03774a815d0441599b
Instruction Fuzzy Hash: EDD0677AB10008AFCB049F98E8408DDFB76FB98226B048116FA25A3660CB31A925DB50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Lazy.207585.14889.25639

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Lazy.207585.14889.exe.log

C:\Windows\System32\drivers\etc\hosts

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.207585.14889.25639

Function 06DD0D4C Relevance: .9, Instructions: 931
COMMON

Function 00BCC5F8 Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Function 00BCC608 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 00BCA328 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 00BCAB6D Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Function 00BCCC30 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00BCCC38 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 00BC96F8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 056EDCD4 Relevance: 1.6, Strings: 1, Instructions: 300
COMMON

Function 00BCA508 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre