Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Analysis ID:	756189
MD5:	f976242274e3a8b6859f43212321e5cd
SHA1:	4de5d552dd1a3a7e2eb57a831d1819ada42b53ae
SHA256:	49aa45b9a4eb9642dc458e079196600823bc99b49c9003b4327261ba47b3ae7d
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Tries to steal Mail credentials (via file / registry access)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe (PID: 3916 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe MD5: F976242274E3A8B6859F43212321E5CD)

SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe (PID: 4520 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe MD5: F976242274E3A8B6859F43212321E5CD)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info2@obynnehhhan.com", "Password": "G$MUuYG3", "Host": "smtp.obynnehhhan.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x306fd:$a3: MailAccountConfiguration 0x30716:$a5: SmtpAccountConfiguration 0x306dd:$a8: set_BindingAccountConfiguration 0x2f67c:$a11: get_securityProfile 0x2f51d:$a12: get_useSeparateFolderTree 0x30e4f:$a13: get_DnsResolver 0x2f92c:$a14: get_archivingScope 0x2f754:$a15: get_providerName 0x31e2a:$a17: get_priority 0x31401:$a18: get_advancedParameters 0x30817:$a19: get_disabledByRestriction 0x2f2f6:$a20: get_LastAccessed 0x2f9c6:$a21: get_avatarType 0x31518:$a22: get_signaturePresets 0x2ffbc:$a23: get_enableLog 0x2f7d1:$a26: set_accountName 0x31963:$a27: set_InternalServerPort 0x2ec90:$a28: set_bindingConfigurationUID 0x314de:$a29: set_IdnAddress 0x31cde:$a30: set_GuidMasterKey 0x2f82c:$a31: set_username
00000001.00000002.510933505.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x20d3:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x2b36:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1f68:$m4: %startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTruehttp 0x21f4:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x11c3ed:$a3: MailAccountConfiguration 0x151a0d:$a3: MailAccountConfiguration 0x186e2d:$a3: MailAccountConfiguration 0x11c406:$a5: SmtpAccountConfiguration 0x151a26:$a5: SmtpAccountConfiguration 0x186e46:$a5: SmtpAccountConfiguration 0x11c3cd:$a8: set_BindingAccountConfiguration 0x1519ed:$a8: set_BindingAccountConfiguration 0x186e0d:$a8: set_BindingAccountConfiguration 0x11b36c:$a11: get_securityProfile 0x15098c:$a11: get_securityProfile 0x185dac:$a11: get_securityProfile 0x11b20d:$a12: get_useSeparateFolderTree 0x15082d:$a12: get_useSeparateFolderTree 0x185c4d:$a12: get_useSeparateFolderTree 0x11cb3f:$a13: get_DnsResolver 0x15215f:$a13: get_DnsResolver 0x18757f:$a13: get_DnsResolver 0x11b61c:$a14: get_archivingScope 0x150c3c:$a14: get_archivingScope 0x18605c:$a14: get_archivingScope
00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x17131:$a3: MailAccountConfiguration 0x1714a:$a5: SmtpAccountConfiguration 0x17111:$a8: set_BindingAccountConfiguration 0x1623b:$a11: get_securityProfile 0x160df:$a12: get_useSeparateFolderTree 0x177de:$a13: get_DnsResolver 0x164e7:$a14: get_archivingScope 0x16313:$a15: get_providerName 0x186a0:$a17: get_priority 0x17d63:$a18: get_advancedParameters 0x1724b:$a19: get_disabledByRestriction 0x15ee7:$a20: get_LastAccessed 0x16581:$a21: get_avatarType 0x17e7a:$a22: get_signaturePresets 0x16b1c:$a23: get_enableLog 0x16390:$a26: set_accountName 0x182a4:$a27: set_InternalServerPort 0x15cd4:$a28: set_bindingConfigurationUID 0x17e40:$a29: set_IdnAddress 0x1855e:$a30: set_GuidMasterKey 0x163eb:$a31: set_username
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x17b65:$s1: get_kbok 0x183f4:$s2: get_CHoo 0x18f85:$s3: set_passwordIsSet 0x17a11:$s4: get_enableLog 0x16eb3:$g1: get_Clipboard 0x16ec1:$g2: get_Keyboard 0x16ece:$g3: get_Password 0x182bf:$g4: get_CtrlKeyDown 0x182cf:$g5: get_ShiftKeyDown 0x182e0:$g6: get_AltKeyDown 0x1469:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x35ea:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x1ecc:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x404c:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x12fe:$m4: %startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTruehttp 0x347f:$m4: %startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTruehttp 0x158a:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x370b:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x18026:$a3: MailAccountConfiguration 0x1803f:$a5: SmtpAccountConfiguration 0x18006:$a8: set_BindingAccountConfiguration 0x17130:$a11: get_securityProfile 0x16fd4:$a12: get_useSeparateFolderTree 0x186d3:$a13: get_DnsResolver 0x173dc:$a14: get_archivingScope 0x17208:$a15: get_providerName 0x19595:$a17: get_priority 0x18c58:$a18: get_advancedParameters 0x18140:$a19: get_disabledByRestriction 0x16ddc:$a20: get_LastAccessed 0x17476:$a21: get_avatarType 0x18d6f:$a22: get_signaturePresets 0x17a11:$a23: get_enableLog 0x17285:$a26: set_accountName 0x19199:$a27: set_InternalServerPort 0x16bc9:$a28: set_bindingConfigurationUID 0x18d35:$a29: set_IdnAddress 0x19453:$a30: set_GuidMasterKey 0x172e0:$a31: set_username
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e5b8:$s1: get_kbok 0x2eefb:$s2: get_CHoo 0x2fb49:$s3: set_passwordIsSet 0x2e3bc:$s4: get_enableLog 0x32a1c:$s8: torbrowser 0x313f8:$s10: logins 0x30d70:$s11: credential 0x2d7e1:$g1: get_Clipboard 0x2d7ef:$g2: get_Keyboard 0x2d7fc:$g3: get_Password 0x2ed9a:$g4: get_CtrlKeyDown 0x2edaa:$g5: get_ShiftKeyDown 0x2edbb:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eafd:$a3: MailAccountConfiguration 0x2eb16:$a5: SmtpAccountConfiguration 0x2eadd:$a8: set_BindingAccountConfiguration 0x2da7c:$a11: get_securityProfile 0x2d91d:$a12: get_useSeparateFolderTree 0x2f24f:$a13: get_DnsResolver 0x2dd2c:$a14: get_archivingScope 0x2db54:$a15: get_providerName 0x3022a:$a17: get_priority 0x2f801:$a18: get_advancedParameters 0x2ec17:$a19: get_disabledByRestriction 0x2d6f6:$a20: get_LastAccessed 0x2ddc6:$a21: get_avatarType 0x2f918:$a22: get_signaturePresets 0x2e3bc:$a23: get_enableLog 0x2dbd1:$a26: set_accountName 0x2fd63:$a27: set_InternalServerPort 0x2d090:$a28: set_bindingConfigurationUID 0x2f8de:$a29: set_IdnAddress 0x300de:$a30: set_GuidMasterKey 0x2dc2c:$a31: set_username
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x303b8:$s1: get_kbok 0x30cfb:$s2: get_CHoo 0x31949:$s3: set_passwordIsSet 0x301bc:$s4: get_enableLog 0x3481c:$s8: torbrowser 0x331f8:$s10: logins 0x32b70:$s11: credential 0x2f5e1:$g1: get_Clipboard 0x2f5ef:$g2: get_Keyboard 0x2f5fc:$g3: get_Password 0x30b9a:$g4: get_CtrlKeyDown 0x30baa:$g5: get_ShiftKeyDown 0x30bbb:$g6: get_AltKeyDown
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x308fd:$a3: MailAccountConfiguration 0x30916:$a5: SmtpAccountConfiguration 0x308dd:$a8: set_BindingAccountConfiguration 0x2f87c:$a11: get_securityProfile 0x2f71d:$a12: get_useSeparateFolderTree 0x3104f:$a13: get_DnsResolver 0x2fb2c:$a14: get_archivingScope 0x2f954:$a15: get_providerName 0x3202a:$a17: get_priority 0x31601:$a18: get_advancedParameters 0x30a17:$a19: get_disabledByRestriction 0x2f4f6:$a20: get_LastAccessed 0x2fbc6:$a21: get_avatarType 0x31718:$a22: get_signaturePresets 0x301bc:$a23: get_enableLog 0x2f9d1:$a26: set_accountName 0x31b63:$a27: set_InternalServerPort 0x2ee90:$a28: set_bindingConfigurationUID 0x316de:$a29: set_IdnAddress 0x31ede:$a30: set_GuidMasterKey 0x2fa2c:$a31: set_username
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e5b8:$s1: get_kbok 0x2eefb:$s2: get_CHoo 0x2fb49:$s3: set_passwordIsSet 0x2e3bc:$s4: get_enableLog 0x32a1c:$s8: torbrowser 0x313f8:$s10: logins 0x30d70:$s11: credential 0x2d7e1:$g1: get_Clipboard 0x2d7ef:$g2: get_Keyboard 0x2d7fc:$g3: get_Password 0x2ed9a:$g4: get_CtrlKeyDown 0x2edaa:$g5: get_ShiftKeyDown 0x2edbb:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eafd:$a3: MailAccountConfiguration 0x2eb16:$a5: SmtpAccountConfiguration 0x2eadd:$a8: set_BindingAccountConfiguration 0x2da7c:$a11: get_securityProfile 0x2d91d:$a12: get_useSeparateFolderTree 0x2f24f:$a13: get_DnsResolver 0x2dd2c:$a14: get_archivingScope 0x2db54:$a15: get_providerName 0x3022a:$a17: get_priority 0x2f801:$a18: get_advancedParameters 0x2ec17:$a19: get_disabledByRestriction 0x2d6f6:$a20: get_LastAccessed 0x2ddc6:$a21: get_avatarType 0x2f918:$a22: get_signaturePresets 0x2e3bc:$a23: get_enableLog 0x2dbd1:$a26: set_accountName 0x2fd63:$a27: set_InternalServerPort 0x2d090:$a28: set_bindingConfigurationUID 0x2f8de:$a29: set_IdnAddress 0x300de:$a30: set_GuidMasterKey 0x2dc2c:$a31: set_username
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x303b8:$s1: get_kbok 0x659d8:$s1: get_kbok 0x9adf8:$s1: get_kbok 0x30cfb:$s2: get_CHoo 0x6631b:$s2: get_CHoo 0x9b73b:$s2: get_CHoo 0x31949:$s3: set_passwordIsSet 0x66f69:$s3: set_passwordIsSet 0x9c389:$s3: set_passwordIsSet 0x301bc:$s4: get_enableLog 0x657dc:$s4: get_enableLog 0x9abfc:$s4: get_enableLog 0x3481c:$s8: torbrowser 0x69e3c:$s8: torbrowser 0x9f25c:$s8: torbrowser 0x331f8:$s10: logins 0x68818:$s10: logins 0x9dc38:$s10: logins 0x32b70:$s11: credential 0x68190:$s11: credential 0x9d5b0:$s11: credential
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x100b0b:$s1: file:/// 0x100a1b:$s2: {11111-22222-10009-11112} 0x100a9b:$s3: {11111-22222-50001-00000} 0xffc4d:$s4: get_Module 0x2fcb4:$s5: Reverse 0x652d4:$s5: Reverse 0x9a6f4:$s5: Reverse 0xfffc8:$s5: Reverse 0x31f8d:$s6: BlockCopy 0x675ad:$s6: BlockCopy 0x9c9cd:$s6: BlockCopy 0xfb194:$s6: BlockCopy 0x2ff26:$s7: ReadByte 0x65546:$s7: ReadByte 0x9a966:$s7: ReadByte 0x100b1d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x308fd:$a3: MailAccountConfiguration 0x65f1d:$a3: MailAccountConfiguration 0x9b33d:$a3: MailAccountConfiguration 0x30916:$a5: SmtpAccountConfiguration 0x65f36:$a5: SmtpAccountConfiguration 0x9b356:$a5: SmtpAccountConfiguration 0x308dd:$a8: set_BindingAccountConfiguration 0x65efd:$a8: set_BindingAccountConfiguration 0x9b31d:$a8: set_BindingAccountConfiguration 0x2f87c:$a11: get_securityProfile 0x64e9c:$a11: get_securityProfile 0x9a2bc:$a11: get_securityProfile 0x2f71d:$a12: get_useSeparateFolderTree 0x64d3d:$a12: get_useSeparateFolderTree 0x9a15d:$a12: get_useSeparateFolderTree 0x3104f:$a13: get_DnsResolver 0x6666f:$a13: get_DnsResolver 0x9ba8f:$a13: get_DnsResolver 0x2fb2c:$a14: get_archivingScope 0x6514c:$a14: get_archivingScope 0x9a56c:$a14: get_archivingScope
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x303b8:$s1: get_kbok 0x657d8:$s1: get_kbok 0x30cfb:$s2: get_CHoo 0x6611b:$s2: get_CHoo 0x31949:$s3: set_passwordIsSet 0x66d69:$s3: set_passwordIsSet 0x301bc:$s4: get_enableLog 0x655dc:$s4: get_enableLog 0x3481c:$s8: torbrowser 0x69c3c:$s8: torbrowser 0x331f8:$s10: logins 0x68618:$s10: logins 0x32b70:$s11: credential 0x67f90:$s11: credential 0x2f5e1:$g1: get_Clipboard 0x64a01:$g1: get_Clipboard 0x2f5ef:$g2: get_Keyboard 0x64a0f:$g2: get_Keyboard 0x2f5fc:$g3: get_Password 0x64a1c:$g3: get_Password 0x30b9a:$g4: get_CtrlKeyDown
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcb4eb:$s1: file:/// 0xcb3fb:$s2: {11111-22222-10009-11112} 0xcb47b:$s3: {11111-22222-50001-00000} 0xca62d:$s4: get_Module 0x2fcb4:$s5: Reverse 0x650d4:$s5: Reverse 0xca9a8:$s5: Reverse 0x31f8d:$s6: BlockCopy 0x673ad:$s6: BlockCopy 0xc5b74:$s6: BlockCopy 0x2ff26:$s7: ReadByte 0x65346:$s7: ReadByte 0xcb4fd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x308fd:$a3: MailAccountConfiguration 0x65d1d:$a3: MailAccountConfiguration 0x30916:$a5: SmtpAccountConfiguration 0x65d36:$a5: SmtpAccountConfiguration 0x308dd:$a8: set_BindingAccountConfiguration 0x65cfd:$a8: set_BindingAccountConfiguration 0x2f87c:$a11: get_securityProfile 0x64c9c:$a11: get_securityProfile 0x2f71d:$a12: get_useSeparateFolderTree 0x64b3d:$a12: get_useSeparateFolderTree 0x3104f:$a13: get_DnsResolver 0x6646f:$a13: get_DnsResolver 0x2fb2c:$a14: get_archivingScope 0x64f4c:$a14: get_archivingScope 0x2f954:$a15: get_providerName 0x64d74:$a15: get_providerName 0x3202a:$a17: get_priority 0x6744a:$a17: get_priority 0x31601:$a18: get_advancedParameters 0x66a21:$a18: get_advancedParameters 0x30a17:$a19: get_disabledByRestriction
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x8ddd8:$s1: get_kbok 0xc33f8:$s1: get_kbok 0xf8818:$s1: get_kbok 0x8e71b:$s2: get_CHoo 0xc3d3b:$s2: get_CHoo 0xf915b:$s2: get_CHoo 0x8f369:$s3: set_passwordIsSet 0xc4989:$s3: set_passwordIsSet 0xf9da9:$s3: set_passwordIsSet 0x8dbdc:$s4: get_enableLog 0xc31fc:$s4: get_enableLog 0xf861c:$s4: get_enableLog 0x9223c:$s8: torbrowser 0xc785c:$s8: torbrowser 0xfcc7c:$s8: torbrowser 0x90c18:$s10: logins 0xc6238:$s10: logins 0xfb658:$s10: logins 0x90590:$s11: credential 0xc5bb0:$s11: credential 0xfafd0:$s11: credential
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x15e52b:$s1: file:/// 0x15e43b:$s2: {11111-22222-10009-11112} 0x15e4bb:$s3: {11111-22222-50001-00000} 0x15d66d:$s4: get_Module 0x8d6d4:$s5: Reverse 0xc2cf4:$s5: Reverse 0xf8114:$s5: Reverse 0x15d9e8:$s5: Reverse 0x8f9ad:$s6: BlockCopy 0xc4fcd:$s6: BlockCopy 0xfa3ed:$s6: BlockCopy 0x158bb4:$s6: BlockCopy 0x8d946:$s7: ReadByte 0xc2f66:$s7: ReadByte 0xf8386:$s7: ReadByte 0x15e53d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x8e31d:$a3: MailAccountConfiguration 0xc393d:$a3: MailAccountConfiguration 0xf8d5d:$a3: MailAccountConfiguration 0x8e336:$a5: SmtpAccountConfiguration 0xc3956:$a5: SmtpAccountConfiguration 0xf8d76:$a5: SmtpAccountConfiguration 0x8e2fd:$a8: set_BindingAccountConfiguration 0xc391d:$a8: set_BindingAccountConfiguration 0xf8d3d:$a8: set_BindingAccountConfiguration 0x8d29c:$a11: get_securityProfile 0xc28bc:$a11: get_securityProfile 0xf7cdc:$a11: get_securityProfile 0x8d13d:$a12: get_useSeparateFolderTree 0xc275d:$a12: get_useSeparateFolderTree 0xf7b7d:$a12: get_useSeparateFolderTree 0x8ea6f:$a13: get_DnsResolver 0xc408f:$a13: get_DnsResolver 0xf94af:$a13: get_DnsResolver 0x8d54c:$a14: get_archivingScope 0xc2b6c:$a14: get_archivingScope 0xf7f8c:$a14: get_archivingScope
Click to see the 26 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	ReversingLabs: Detection: 24%
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Virustotal: Detection: 30%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Avira: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Joe Sandbox ML: detected

Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info2@obynnehhhan.com", "Password": "G$MUuYG3", "Host": "smtp.obynnehhhan.com"}

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://PcwsIt.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com_
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comrsiva
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comue9
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252922345.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/aCo
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510896649.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.285593819.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b06A21515u002dB589u002d4A9Cu002dA54Au002d22BA57400E29u007d/u0034CB1A907u002dEAC2u002d4C09u002d9297u002dEDA94E30EAD5.cs

Large array initialization: .cctor: array initializer size 11778

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_00E7C1F4	0_2_00E7C1F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_00E7E640	0_2_00E7E640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_00E7E650	0_2_00E7E650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_070F38B0	0_2_070F38B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_070F38C0	0_2_070F38C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_072B001A	0_2_072B001A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_072B0040	0_2_072B0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C2C848	1_2_00C2C848
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C22618	1_2_00C22618
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C21FF0	1_2_00C21FF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C2F5B0	1_2_00C2F5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C29DB8	1_2_00C29DB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C4CB00	1_2_00C4CB00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C49470	1_2_00C49470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C44C0C	1_2_00C44C0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C43550	1_2_00C43550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C4A8E0	1_2_00C4A8E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C4E0E8	1_2_00C4E0E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C40040	1_2_00C40040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C40BA8	1_2_00C40BA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F94E60	1_2_00F94E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F9B0E8	1_2_00F9B0E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F96580	1_2_00F96580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_010E46A0	1_2_010E46A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_010E45B0	1_2_010E45B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_010E4672	1_2_010E4672
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_010E4690	1_2_010E4690

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000000.241444260.0000000000512000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamezaNJ.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.300732780.0000000007100000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286913157.0000000002991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.285593819.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.506084189.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000000.284033383.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Binary or memory string: OriginalFilenamezaNJ.exe6 vs SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	ReversingLabs: Detection: 24%
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Virustotal: Detection: 30%

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.511302808.0000000002B11000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.510000.0.unpack, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 0_2_070F0015 push eax; iretd	0_2_070F0016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C27A37 push edi; retn 0000h	1_2_00C27A39
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C4DA58 pushfd ; ret	1_2_00C4DA59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00C47DC9 push 8BFFFFFFh; retf	1_2_00C47DD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F90434 push eax; ret	1_2_00F90442
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F9A651 push es; ret	1_2_00F9A67E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Code function: 1_2_00F90DD0 push 3C00F8CBh; retf	1_2_00F90DD5

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Static PE information: 0xC6C06793 [Sat Aug 31 17:29:55 2075 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.59561068934023

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 2888	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 6076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 3092	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe TID: 3372	Thread sleep count: 9862 > 30	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Window / User API: threadDelayed 9862

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Code function: 1_2_00C4C8C0 LdrInitializeThunk,

1_2_00C4C8C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510933505.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cbaaf0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3cf0110.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.3c5d0d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510933505.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 3916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe PID: 4520, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	1 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	114 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	24%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	31%	Virustotal		Browse
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	100%	Avira	HEUR/AGEN.1249296
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.510000.0.unpack	100%	Avira	HEUR/AGEN.1249296		Download File
1.0.SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.com_	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/aCo	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comrsiva	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.fontbureau.comue9	0%	URL Reputation	safe
http://PcwsIt.com	0%	Virustotal		Browse
http://PcwsIt.com	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://DynDns.comDynDNS	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/aCo	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252922345.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com_	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000003.252715733.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comrsiva	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.fonts.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://PcwsIt.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.298799636.0000000006A02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000002.510896649.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comue9	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe, 00000000.00000002.286227927.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756189
Start date and time:	2022-11-29 19:34:38 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 85 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:35:47	API Interceptor	570x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.590447173134643
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
File size:	836608
MD5:	f976242274e3a8b6859f43212321e5cd
SHA1:	4de5d552dd1a3a7e2eb57a831d1819ada42b53ae
SHA256:	49aa45b9a4eb9642dc458e079196600823bc99b49c9003b4327261ba47b3ae7d
SHA512:	de657d8cb7ee401139a414964c333053bc6570e1d29b4125cdc440dc61637b0597ee4c1bb0eafd5a8855727bc6089430e3b80c457c6c5a19ce1ef2f769957b80
SSDEEP:	12288:oOvpYqjMN+3gYffB411R77TeB3EqcDFRLJtXsxFXynzw5tkD3twn:3Yqy+t8N7qNEtFRLJtXsxkc5aD9
TLSH:	70053A2297B1C906F93389ED62EC5A114DA821C148B4C949CC573DC15E78E6BF4FCAFA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g................0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4cda92
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC6C06793 [Sat Aug 31 17:29:55 2075 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcda40	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xcda24	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcba98	0xcbc00	False	0.7869320360429448	data	7.59561068934023	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x370	0x400	False	0.3662109375	data	2.781211359728944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xce058	0x314	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	19:35:34
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Imagebase:	0x510000
File size:	836608 bytes
MD5 hash:	F976242274E3A8B6859F43212321E5CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.293904682.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.290098230.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	19:35:54
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe
Imagebase:	0x610000
File size:	836608 bytes
MD5 hash:	F976242274E3A8B6859F43212321E5CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.283863668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.510933505.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000001.00000002.510085128.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	128
Total number of Limit Nodes:	7

Executed Functions

Function 00E7B760 Relevance: 6.2, APIs: 4, Instructions: 150
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E7B7D0
GetCurrentThread.KERNEL32 ref: 00E7B80D
GetCurrentProcess.KERNEL32 ref: 00E7B84A
GetCurrentThreadId.KERNEL32 ref: 00E7B8A3

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b7d23e0652492c8826e436e3be96ba25f6c544ac777ce2e08f280a6adc1af9b0
Instruction ID: fa51a7d29cab2a676d4b7cb0e443dd638df504a5a1ffbe1e48befb3fd0752500
Opcode Fuzzy Hash: b7d23e0652492c8826e436e3be96ba25f6c544ac777ce2e08f280a6adc1af9b0
Instruction Fuzzy Hash: 4F6148B0E04249DFDB54CFA9D948BEEBBF1AF88308F14855AE409B7290D7705949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B770 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E7B7D0
GetCurrentThread.KERNEL32 ref: 00E7B80D
GetCurrentProcess.KERNEL32 ref: 00E7B84A
GetCurrentThreadId.KERNEL32 ref: 00E7B8A3

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2082a55f05ae50d0e541f41c6ef42873444101a8287ed0308a553267ad262dff
Instruction ID: 9e3ab49f2ef3233fdb0f5035c0b3b73383f2fcd2ebe804bf17b447456a9276f7
Opcode Fuzzy Hash: 2082a55f05ae50d0e541f41c6ef42873444101a8287ed0308a553267ad262dff
Instruction Fuzzy Hash: 645154B09043488FDB14CFA9D548BAEBBF5BF88308F24C45AE419B7250D774A844CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070FBE30 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070FC066

Memory Dump Source

Source File: 00000000.00000002.300678555.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 61103b9dfdb93238a8f2a0e8a63ffd2d309b93b6d0ec6ce656d4c063d72a3667
Instruction ID: 00520cdd0cb91e6259aefa6787fb1a82b8bbe3db47ce68ca8c3b32d4c3eaea85
Opcode Fuzzy Hash: 61103b9dfdb93238a8f2a0e8a63ffd2d309b93b6d0ec6ce656d4c063d72a3667
Instruction Fuzzy Hash: F0914BB1D00219CFEB24CF64C8817EEBAB2BF89314F058669D949A7680D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E79470 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E796B6

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6626918a6ea49fe8e38f51f597c9ea4cb72c0015be87a46d5a4363ca83e36403
Instruction ID: 30dc516ff11445cf1a978026a1c2db3d496d55fb246f03048f44010b79b6e59b
Opcode Fuzzy Hash: 6626918a6ea49fe8e38f51f597c9ea4cb72c0015be87a46d5a4363ca83e36403
Instruction Fuzzy Hash: 73715A70A00B158FDB24DF29D14575ABBF1BF88308F108A2ED44AE7A51D734E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E7FDCD Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E7FEEA

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2021b4d0715c52c28cfd7cba01bc0fecb9be4de29eefda3b142b8e32d429d397
Instruction ID: 45b2f985a8d9872869931682dbe085a7211e2b37d7c2bed27ccbf925cc883472
Opcode Fuzzy Hash: 2021b4d0715c52c28cfd7cba01bc0fecb9be4de29eefda3b142b8e32d429d397
Instruction Fuzzy Hash: F451BFB1D003499FDB14CFA9D884ADEBBB5BF88354F24822AE419AB250D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E7FDD8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E7FEEA

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1476f233608c9b12f3f0bdba014a1880fc531bca6a35e8fc85f559223f74d4c4
Instruction ID: 15ffa539bfb1609569c0733ec074aa56d78fba217be7776c39a6b678e816fff2
Opcode Fuzzy Hash: 1476f233608c9b12f3f0bdba014a1880fc531bca6a35e8fc85f559223f74d4c4
Instruction Fuzzy Hash: 9E41CFB1D00309DFDB14CF99D884ADEBBB5BF88354F24812AE819AB250D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E75365 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E75421

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 339f472853a439bfd7721e58430433ed3f40f6663addd2477d20a2eebe3983e3
Instruction ID: 7739ca982544907c731a7472436daa649041633049248b0c90920aeadfff7cdb
Opcode Fuzzy Hash: 339f472853a439bfd7721e58430433ed3f40f6663addd2477d20a2eebe3983e3
Instruction Fuzzy Hash: BB411671D04628CFDB24CFA5C884BDDBBB5BF89308F14806AD409BB251DBB56946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E73E4C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E75421

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b2608579350feaf2a4ea6f4b6cd19684f1049892d7924d9c2a604a49ef5dfba2
Instruction ID: aecd4b5660382f94fb33835f3df81a01df68b9c30bda14879eabd9b7fa09c91e
Opcode Fuzzy Hash: b2608579350feaf2a4ea6f4b6cd19684f1049892d7924d9c2a604a49ef5dfba2
Instruction Fuzzy Hash: C641D271C04618CBDB24CFA9C848B9EBBB5BF89308F14815AD419BB251DBB56985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 070FBB18 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070FBBA8

Memory Dump Source

Source File: 00000000.00000002.300678555.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8019d645f6745b96a43e356b7f4ca0176ca01390caec1f92890ced4614541d06
Instruction ID: a0549e5910a24c0eae8e19c255226e793d26a46ddb1921637a3da84a8f141f53
Opcode Fuzzy Hash: 8019d645f6745b96a43e356b7f4ca0176ca01390caec1f92890ced4614541d06
Instruction Fuzzy Hash: 572126B19003599FCB00CFA9C884BEEBBF5EB88354F10842AE919A7640D7789944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B992 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E7BA1F

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 09036bcee81ff21dbeef4f00ff6115ff1001fa5beebd27f5731b2a655c1b59c5
Instruction ID: 07a01db71a3e435dc4777bba23b7f3e62bfe7b59623115d6f93871a396a55b39
Opcode Fuzzy Hash: 09036bcee81ff21dbeef4f00ff6115ff1001fa5beebd27f5731b2a655c1b59c5
Instruction Fuzzy Hash: 892103B5900248EFCB10CFA9D884AEEBFF4EF48324F14841AE854B7250D374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 070FBC38 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070FBCB8

Memory Dump Source

Source File: 00000000.00000002.300678555.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d42ad99e976cf50605d25192974d29b059e7c32f718ecfbd172b972b8180976d
Instruction ID: 42148c9ede676c88e6a1c43f509193fbe18a1d8464d2a95a61080dae54bcf5f2
Opcode Fuzzy Hash: d42ad99e976cf50605d25192974d29b059e7c32f718ecfbd172b972b8180976d
Instruction Fuzzy Hash: 0C214AB18003599FCB00CFA9C8807EEBBF5FF88314F50842AE518A7240D7349900CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070FB890 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 070FB90E

Memory Dump Source

Source File: 00000000.00000002.300678555.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d58918098ac6d54882fd1915c91712bf89562c46c6c3b93e562c0fb44a08981a
Instruction ID: 027a6d930d4597120cb77588aaa61d43a36784aa0d91cf30dacfa4f4fa475e9e
Opcode Fuzzy Hash: d58918098ac6d54882fd1915c91712bf89562c46c6c3b93e562c0fb44a08981a
Instruction Fuzzy Hash: F92149B1D043099FCB50DFAAC4847EEBBF4EF88354F14842AD519A7640DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B998 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E7BA1F

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eaa96b4024a1b2925c964da3b5a7c4fa1f8b8d14b35254e8f8562fc16c3f1dd0
Instruction ID: 475e37e5b60c2f5e6ac44c78486837630d28bc0af5a033a2f49d55982b4f1389
Opcode Fuzzy Hash: eaa96b4024a1b2925c964da3b5a7c4fa1f8b8d14b35254e8f8562fc16c3f1dd0
Instruction Fuzzy Hash: BC21C4B59002499FDB10CF99D884AEEBBF8EB48364F14841AE914B7350D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E787E0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E79731,00000800,00000000,00000000), ref: 00E79942

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1424c90053dc8a6704ea0a204e9b242c2fdf89f11f428568cb03eb79ed102999
Instruction ID: 1434472262524eb2507c928fac11b12a0993759c49af16afac43ce642887d9be
Opcode Fuzzy Hash: 1424c90053dc8a6704ea0a204e9b242c2fdf89f11f428568cb03eb79ed102999
Instruction Fuzzy Hash: 7B11F4B69042499BDB10CF9AD448AEEBBF4AB98354F10842ED559B7210C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E798D2 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E79731,00000800,00000000,00000000), ref: 00E79942

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c334d57b8cf8028b0823025c22e26d1afd80ea5c9c7adb2fa9643a04e487e371
Instruction ID: 2457ec393863096fbb337bb1ca7dd00f4ae76f6c982c4a74ca485d4e0c230542
Opcode Fuzzy Hash: c334d57b8cf8028b0823025c22e26d1afd80ea5c9c7adb2fa9643a04e487e371
Instruction Fuzzy Hash: 221114B69042498FDB10CFAAD844AEEFBF4AF88354F14842ED559B7240C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 070FBA28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070FBA96

Memory Dump Source

Source File: 00000000.00000002.300678555.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7b977079c3230d00adc57b853db681e2c9f48be64021b16ccae4204b09c5218d
Instruction ID: bc9441dda345749ce09ff7b4a8205762fcb52977fd4416eeccc98cf2f3e16b44
Opcode Fuzzy Hash: 7b977079c3230d00adc57b853db681e2c9f48be64021b16ccae4204b09c5218d
Instruction Fuzzy Hash: 871156B19042499FCB10DFAAC844BEEBBF5AF88364F14881AE515A7650C775A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070FB7B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070FB812

Memory Dump Source

Source File: 00000000.00000002.300678555.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f1f02580153ff9b20d9599061756facbf34857b22b9694f0c178ba02488eb4a2
Instruction ID: e54935dfdb4bc7ce169b95c53b7af308a58427b40389b56fdbef3c1c0b812ce5
Opcode Fuzzy Hash: f1f02580153ff9b20d9599061756facbf34857b22b9694f0c178ba02488eb4a2
Instruction Fuzzy Hash: FD1166B1D043488BCB10DFAAC8447EEFBF4EF88324F14882AC519A7640C774A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E79650 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E796B6

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1d7c40474e18e915011c355f9546b4a4d20ff9afc3f0d9e7c950d66251c39a97
Instruction ID: 739dcb987a6f39617890a346e579c62c29971d913c0930b27658cc136b80063f
Opcode Fuzzy Hash: 1d7c40474e18e915011c355f9546b4a4d20ff9afc3f0d9e7c950d66251c39a97
Instruction Fuzzy Hash: 4811E0B6D002498FCB10DF9AD844BDEFBF4AF89724F14851AD819B7610D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 072B7D08 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 072B7D65

Memory Dump Source

Source File: 00000000.00000002.301978254.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3709950978fa12b70638d211b15f2f868ca4147894dbc93e6bfc47b68cb3f571
Instruction ID: dc593279070513409856a45e8ca2d0c6b852a1ee3c99c821bd4e1e3948f024f7
Opcode Fuzzy Hash: 3709950978fa12b70638d211b15f2f868ca4147894dbc93e6bfc47b68cb3f571
Instruction Fuzzy Hash: 5611E5B5800349DFDB20CF99D884BEEBBF8EB88364F10841AE514A7740D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.285416939.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c9d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37dbfa2e3c57f7439226a323911652581d95f4592ed54b0190f1511ff04a2c3
Instruction ID: db653566ae54901710b7574b4f5d0fcd121729719d09633b2565231545e87186
Opcode Fuzzy Hash: d37dbfa2e3c57f7439226a323911652581d95f4592ed54b0190f1511ff04a2c3
Instruction Fuzzy Hash: 8C2167B1504240DFDF05DF10C9C4B26BF61FB88328F21C569E8066B246C336D956CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.285453337.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da82b78db05588de6b75f9654cfb56f2dcfd832a734c4bc0b1ea2e00da383df3
Instruction ID: 2df231e321a0ecb39789112cf2f8a0745fcd5aa6355a9047f40460239f35ee1b
Opcode Fuzzy Hash: da82b78db05588de6b75f9654cfb56f2dcfd832a734c4bc0b1ea2e00da383df3
Instruction Fuzzy Hash: B62107B5608345DFDB14CF10D9C0B26BB65FB89318F24C569D94B4B646C336D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.285453337.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e937fef05ca4cdcf7543f750cbb0d1f98b2c0fe33c1b8a7622ab15c00645dedf
Instruction ID: 6e8e9b1094ad7cd6d103049c6799a3a3815a271df6f014081eaf6064f9b694ce
Opcode Fuzzy Hash: e937fef05ca4cdcf7543f750cbb0d1f98b2c0fe33c1b8a7622ab15c00645dedf
Instruction Fuzzy Hash: 922137B1508345EFDB04CF10C9C0B26BB61FB89318F20C6ADE90B4B642C336DC46CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.285453337.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca447bd6af6861ac124462fe64e5bd49fe4195cb5b85a40ef86026543196c521
Instruction ID: a4e4688750e66eeac4acb1513033b8a7eb033ae8ef1447945cc56c69785da8b8
Opcode Fuzzy Hash: ca447bd6af6861ac124462fe64e5bd49fe4195cb5b85a40ef86026543196c521
Instruction Fuzzy Hash: F32180755093C08FCB02CF20D990715BF71EB46314F28C5EAD84A8F6A7C33A990ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.285416939.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c9d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0ce4394a271259760c2c660e1cb6f29709190ae4859f5a8d1e8115099c26a4
Instruction ID: 2eac2d2ced10a7b17e569855613d19ae172f782d4bb1dacc6676612df6565418
Opcode Fuzzy Hash: 4e0ce4394a271259760c2c660e1cb6f29709190ae4859f5a8d1e8115099c26a4
Instruction Fuzzy Hash: F41108B6504280CFCF15CF10D5C4B16BF71FB94324F24C6A9D8455B656C33AD956CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.285453337.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0c76da7bef37b33f57a9aa67a4505d4f7fa3297620b3ab0aa91aa81e941354
Instruction ID: 8f0a4e136447cbdaef7fea72c7ca185e80a93d740fedcde2281a32c8e994c972
Opcode Fuzzy Hash: 7b0c76da7bef37b33f57a9aa67a4505d4f7fa3297620b3ab0aa91aa81e941354
Instruction Fuzzy Hash: 1B118B75904284DFCB15CF10D5C4B15BBB1FB85328F28C6AAD84A4BA56C33AD94ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.285416939.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c9d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ba9b72aedecf6d056b5de33413f8e6d0aaa88f229d96751c5b902b607ac79c
Instruction ID: 96323e3a84a320b97cc4f7d3947a8d9020968b38d3add53b5def50e514fbe9ce
Opcode Fuzzy Hash: 15ba9b72aedecf6d056b5de33413f8e6d0aaa88f229d96751c5b902b607ac79c
Instruction Fuzzy Hash: 9E012B710083409AEF104E66CCC8B66BBD8DF51774F18C55AED166B28AD3789840C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.285416939.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c9d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64934b5f02aff3d24c88a5915abcea3fdab5545c26bd61e583f94e3151a5e49d
Instruction ID: 68f69e745dcf772f69df08919b1116babf99ef26e7a3a5fd55c5f52bda95eacf
Opcode Fuzzy Hash: 64934b5f02aff3d24c88a5915abcea3fdab5545c26bd61e583f94e3151a5e49d
Instruction Fuzzy Hash: 3AF0C2714083849EEB108E16CCC8B62FFA8EB91774F18C45AED085B28AD3789C44CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E7E650 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2adae3ee8a737dcd9aef0d8672fb5d0725151aa3d4c4a40073f7e9d3f849cfc
Instruction ID: 8dc74d70f324aa14b06e732cc45cd605de42572a7bf12a44c262d3d61af9ff45
Opcode Fuzzy Hash: d2adae3ee8a737dcd9aef0d8672fb5d0725151aa3d4c4a40073f7e9d3f849cfc
Instruction Fuzzy Hash: 4A12D9F9CD17468AD338CF65E49A1993BA1B744329BD2CA09D1622EAD0D7BC017ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 00E7C1F4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b195b6673c500c1911a4f517a123cc3b3dcf7405231f1b17ad11f3dd2ae0c0b8
Instruction ID: 3c5653ef73860e0a0be58aa3b1a70bc1abfcb3388adfe15e3e6ccc01a9d37803
Opcode Fuzzy Hash: b195b6673c500c1911a4f517a123cc3b3dcf7405231f1b17ad11f3dd2ae0c0b8
Instruction Fuzzy Hash: BCA18D32E0061A8FCF05DFB5C8449DEB7F6FF84304B25956AE909BB261EB71A915CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E7E640 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.286143057.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0285864fca3fd984afe4d457a0ed87fed88ad52557677a1af971cc9f429d70f5
Instruction ID: 286d9168bf9ecf10eefed8fd8005b5185c68eae5c8da17603d8f02ee1f4b8f9d
Opcode Fuzzy Hash: 0285864fca3fd984afe4d457a0ed87fed88ad52557677a1af971cc9f429d70f5
Instruction Fuzzy Hash: C5C13DB9CD17458AD728CF24E8991993BB1BB85328FD2CA09D1626B6D0D7BC107ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 070F38B0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.300678555.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8acfa1d1dda0699b5a24cc0e4e72642d9b41ea902c66cc78e17257cceb975a0f
Instruction ID: 3fccf964523728bb3f7abec46fcd54efb5e01f1b2498393f1349e68258e2dc44
Opcode Fuzzy Hash: 8acfa1d1dda0699b5a24cc0e4e72642d9b41ea902c66cc78e17257cceb975a0f
Instruction Fuzzy Hash: 00718F71A152548FDB48EFBAE85069EBBF3EFC8304F04C52AD0089B269DF345D058B51

Uniqueness

Uniqueness Score: -1.00%

Function 070F38C0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.300678555.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a71c6b85a202c8a70c6cc7968b4aefc3690089d8df9fbb0addedbcef09e8329
Instruction ID: bf9bc8e69edd958f76a4a26eae2e61e9d1e6aad6c576863ef302def65e561280
Opcode Fuzzy Hash: 4a71c6b85a202c8a70c6cc7968b4aefc3690089d8df9fbb0addedbcef09e8329
Instruction Fuzzy Hash: 66614E71E152588FDB48EFAAE85069EBBF3EFC8304F04C42AD108AB268DF745D058B51

Uniqueness

Uniqueness Score: -1.00%

Function 072B001A Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301978254.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa5b8673c7b8ba4f5bcc3f7a449ec52c3f5a582d405fcf0d8de9069ae3bb308
Instruction ID: 29a8fe70e3c52161aef74be06f0859665ddcde228e9378c3dca5d194c0cc2cce
Opcode Fuzzy Hash: 6aa5b8673c7b8ba4f5bcc3f7a449ec52c3f5a582d405fcf0d8de9069ae3bb308
Instruction Fuzzy Hash: 7E415F71D05A558BEB1DCF6B9D5029AFFF3AFC9201F18C1BA8558AA269EB3005468F01

Uniqueness

Uniqueness Score: -1.00%

Function 072B0040 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301978254.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527074e0e6bc2da9c707b4792d30be97746fde5f76d2c0d04269f0f0d0f0a443
Instruction ID: 0ae7d17a1e94d67c61dfefc2394f8f207f56a5e411ba75ddfdde2c0fda761332
Opcode Fuzzy Hash: 527074e0e6bc2da9c707b4792d30be97746fde5f76d2c0d04269f0f0d0f0a443
Instruction Fuzzy Hash: 584115B1D15A588BEB2CCF6BDD5069EFAF3AFC9301F14D1BA950CAA255EB3005428F01

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exePID: 4520, Parent PID: 3916COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	116
Total number of Limit Nodes:	11

Executed Functions

Function 00C21FF0 Relevance: 4.3, Strings: 3, Instructions: 510COMMON

Download Yara Rule

Strings

D0Dl, xrefs: 00C22444
D0Dl, xrefs: 00C224D1
D0Dl, xrefs: 00C225D1

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: D0Dl$D0Dl$D0Dl
API String ID: 0-3158727849
Opcode ID: badf79a45cace951b121de004af9e4cd7ce8dbebc4ae8f0cb2e9016531a907fb
Instruction ID: 12de63ff164395d482cbf5f0f2e7d156d82e83cf59e5660322d5e29428eeb1e2
Opcode Fuzzy Hash: badf79a45cace951b121de004af9e4cd7ce8dbebc4ae8f0cb2e9016531a907fb
Instruction Fuzzy Hash: 37129E71A002299FDB14DF69D844BAEBBF6EF88304F118029E915EB7A5DB34DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C8C0 Relevance: 1.7, APIs: 1, Instructions: 172
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00C4C96F

Memory Dump Source

Source File: 00000001.00000002.506688454.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c40000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c8d32d7aa527fd35c65be45ece8d1ee5bdaa6fdd7e54902b5d40099ecc27cd1
Instruction ID: a48e0c0021df3a060c0cb0aa8bab79f0569d4566cd38567073faf1460cc76c6a
Opcode Fuzzy Hash: 1c8d32d7aa527fd35c65be45ece8d1ee5bdaa6fdd7e54902b5d40099ecc27cd1
Instruction Fuzzy Hash: 9D518031B043059FCB04EBB4D895AEEB7A6BF85304F148969E505EB391EF74DD048B61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C848 Relevance: 1.1, Instructions: 1132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a367465dcd94d137d45271d1b15ca3489357ba6e456adea2a632025d90ee12a
Instruction ID: 191ad6439980036fc49ae85498a3420a7709ce430c5e136fbf8461e355c0d03e
Opcode Fuzzy Hash: 2a367465dcd94d137d45271d1b15ca3489357ba6e456adea2a632025d90ee12a
Instruction Fuzzy Hash: FFA25A30E006298FCB24EF78D85469DB7F2AF89304F1185A9D54AAB761EF309D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C22618 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aaf911277b62b24d408211c39464a07b11c2a33e665ab29c549983377ef07b4
Instruction ID: 98e2602831c6bae33906deec210bbb8fc8fddedc8ebaf0099a28958a131f313d
Opcode Fuzzy Hash: 1aaf911277b62b24d408211c39464a07b11c2a33e665ab29c549983377ef07b4
Instruction Fuzzy Hash: A8026E31A00129EFCB14DFA9E984AADBBF2FF48300F158069E815ABB61D730DD85DB51

Uniqueness

Uniqueness Score: -1.00%

Function 010E6940 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010E69A0
GetCurrentThread.KERNEL32 ref: 010E69DD
GetCurrentProcess.KERNEL32 ref: 010E6A1A
GetCurrentThreadId.KERNEL32 ref: 010E6A73

Memory Dump Source

Source File: 00000001.00000002.509560405.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10e0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f172a954a51a997d161405a338e42426f28bca6e1e97f6d5c377f5c36c52d9e3
Instruction ID: 1b9d54d140bb29944b8e762123c060f01d415bd71c3afed9bf9d132cc995663b
Opcode Fuzzy Hash: f172a954a51a997d161405a338e42426f28bca6e1e97f6d5c377f5c36c52d9e3
Instruction Fuzzy Hash: 785154B0A043488FDB94CFAAD548BEEBBF0EF98314F208459E549A7350D7756844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D938 Relevance: 3.0, Strings: 2, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XcDl, xrefs: 00C2DCFC
XcDl, xrefs: 00C2DD06

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: XcDl$XcDl
API String ID: 0-518894161
Opcode ID: f8192029b75e0dbb695f19d3fa8511f45c45123e05a578d34e7d822feac069f7
Instruction ID: 267101b5d193d3860101f006baf79d14a42369e510e04b742e2018b4b251e8df
Opcode Fuzzy Hash: f8192029b75e0dbb695f19d3fa8511f45c45123e05a578d34e7d822feac069f7
Instruction Fuzzy Hash: 7702CF30B042249FDB14EF68E854BAE7BB2EF98304F158469E506DB791DB70DD42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C21AC0 Relevance: 2.7, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XcDl, xrefs: 00C21C4B
XcDl, xrefs: 00C21C41

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: XcDl$XcDl
API String ID: 0-518894161
Opcode ID: 7dd8f218aadd58e4aea1be307e4243760c484e71a0a32d2b7b73648e4ed0a2a8
Instruction ID: ec496fb5bc835f6d86381cd03e5c608e558059fe034e0ebf5f45fc4d9126dd06
Opcode Fuzzy Hash: 7dd8f218aadd58e4aea1be307e4243760c484e71a0a32d2b7b73648e4ed0a2a8
Instruction Fuzzy Hash: 5881C179A00125CFCB18CF69E484AAAB7B2FF99341F298069DC12D7B65DB31DD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010E5084 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010E51A2

Memory Dump Source

Source File: 00000001.00000002.509560405.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10e0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 08d60e98104400d51a05c86b2bcd02f950e24a9f3dd15bdd2f8c9036b7c127b5
Instruction ID: 1e72372e0a51e988e8d61d5380af9078d323f85ecdc6c59942402f6391ca67ce
Opcode Fuzzy Hash: 08d60e98104400d51a05c86b2bcd02f950e24a9f3dd15bdd2f8c9036b7c127b5
Instruction Fuzzy Hash: 1F51C0B5D003499FDB15CFAAC884ADEBFF1BF88314F24856AE819AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010E5090 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010E51A2

Memory Dump Source

Source File: 00000001.00000002.509560405.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10e0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 54c2bdcb31519fa77a3690dbbfaf905149b8ef93deb1075d3b137f09313b5da0
Instruction ID: 6aa667bdef5c375747db60d3f7f88711f41361652bc10b2610d82492daa0f802
Opcode Fuzzy Hash: 54c2bdcb31519fa77a3690dbbfaf905149b8ef93deb1075d3b137f09313b5da0
Instruction Fuzzy Hash: DA41C0B5D103099FDB14CF9AC884ADEBFF5BF88314F24856AE819AB250D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010E7780 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 010E7F01

Memory Dump Source

Source File: 00000001.00000002.509560405.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10e0000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ed3067e8a9bb4b742c1c1147b39d05f9d58045a58c5ad665d519b5d099ce3a0f
Instruction ID: fbabc470146c83c38f3aab1694e6472962dfacafb2689a08ff412726ef1c6e7f
Opcode Fuzzy Hash: ed3067e8a9bb4b742c1c1147b39d05f9d58045a58c5ad665d519b5d099ce3a0f
Instruction Fuzzy Hash: 4C413AB4A04315CFCB14CF9AC448AAABBF5FF88314F15C499E559AB321D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E4080 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010E4116

Memory Dump Source

Source File: 00000001.00000002.509560405.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10e0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8257dda6eb28d813a42559677580e475f8acb00fffd8a22ccb2eebb62e818b34
Instruction ID: 2916cd7c4e198c44d7d38872bad1ab165f88765556fcd17d89f788fe8eb75b51
Opcode Fuzzy Hash: 8257dda6eb28d813a42559677580e475f8acb00fffd8a22ccb2eebb62e818b34
Instruction Fuzzy Hash: 352191B1C093848FCB11CFAAC84469EBFF4EF8A214F15859EC445EB252D3399506CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010E6B62 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010E6BEF

Memory Dump Source

Source File: 00000001.00000002.509560405.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10e0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f098df2e2ff1002a53c64683beb8c4b40531a33c4e4cd9af165b668e178628e1
Instruction ID: e43c68215a971c9436f07a6e0def61d7076ec8229a180464b1813893a9448464
Opcode Fuzzy Hash: f098df2e2ff1002a53c64683beb8c4b40531a33c4e4cd9af165b668e178628e1
Instruction Fuzzy Hash: BB21F2B5900248DFDB10CFAAD984AEEBFF4EF48324F14841AE955A7310D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010E6B68 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010E6BEF

Memory Dump Source

Source File: 00000001.00000002.509560405.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10e0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f1a1b5618843d7a4a5620fb00cb167be88c1753fb7fd034cb9094fe18982174c
Instruction ID: 256b44c8e80900b5426bc5327b9f13637b99210c49737311d047b70cba181e6d
Opcode Fuzzy Hash: f1a1b5618843d7a4a5620fb00cb167be88c1753fb7fd034cb9094fe18982174c
Instruction Fuzzy Hash: BD21E4B5900248DFDB10CFAAD984AEEBFF4EB48324F14841AE955A3350D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F966E4 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,00F97579,00000800), ref: 00F9760A

Memory Dump Source

Source File: 00000001.00000002.509383242.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 45f1d0ac9ce7745149e613a9f9cbaa22aaabb0d6c4133a3da368b47fbbccc28f
Instruction ID: 97087622d12c3253dffae3b8f14b29056dbf2a5e434a0233873dca1ccbaef0ff
Opcode Fuzzy Hash: 45f1d0ac9ce7745149e613a9f9cbaa22aaabb0d6c4133a3da368b47fbbccc28f
Instruction Fuzzy Hash: 9D1114B6D043099FDB10DFAAD844BEEFBF4EB88324F15842AD419A7200C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010EC118 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 010EC192

Memory Dump Source

Source File: 00000001.00000002.509560405.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10e0000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 863940b44eca958c86187bd3649bcbfec93664f6c3e04cb480df7db33e3e98c4
Instruction ID: 7e3bcf0f70fd1e9afc93752e3f4687bc67d2e73450f0d46ad6833aff7a15f8e3
Opcode Fuzzy Hash: 863940b44eca958c86187bd3649bcbfec93664f6c3e04cb480df7db33e3e98c4
Instruction Fuzzy Hash: 9F117F71A053198FEB90DFAAC5087EEBFF4FB49714F10846AD445A3641C779A504CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010EC116 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 010EC192

Memory Dump Source

Source File: 00000001.00000002.509560405.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10e0000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: a0e5a5c38e612fa99b9cfeccf6f0ca734de165b0fed4e87fca5501ee9d75f6e1
Instruction ID: a47cfb8d409aa5bd10e6a1e3322e9d8fb286fb64d8558a291eceed4b19a79ffe
Opcode Fuzzy Hash: a0e5a5c38e612fa99b9cfeccf6f0ca734de165b0fed4e87fca5501ee9d75f6e1
Instruction Fuzzy Hash: 7711AC71A053598FEBA0CFAAC5083EEBFF4FB49314F20846AD449A3241C739A504CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F9759F Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,00F97579,00000800), ref: 00F9760A

Memory Dump Source

Source File: 00000001.00000002.509383242.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d472bd539107a2de0843fcd452735c7ca6d28a150f89bdde410c788827759d7
Instruction ID: efd56543f94d32365ad2af5b3ec4c2aeb1d2a59567f3537993635401fbabf74e
Opcode Fuzzy Hash: 2d472bd539107a2de0843fcd452735c7ca6d28a150f89bdde410c788827759d7
Instruction Fuzzy Hash: C41112B6D043499FDB10CFAAD844BEEFBF4AB88324F15842ED415A7200C3B4A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010E32D8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010E4116

Memory Dump Source

Source File: 00000001.00000002.509560405.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10e0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d0ecb5538c282fa5b61ee678be35ded3188ffd8dbd2cc97be1726c056171432a
Instruction ID: 7c8e855390d6e70c28534c58d679f9805adf3a1df0b226ae5edeb4d3e85b6a29
Opcode Fuzzy Hash: d0ecb5538c282fa5b61ee678be35ded3188ffd8dbd2cc97be1726c056171432a
Instruction Fuzzy Hash: D31102B6D046498FDB20CF9AD448BDEFFF4EB88224F11846AD959B7200D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F99F80 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00F9AF25

Memory Dump Source

Source File: 00000001.00000002.509383242.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 054f12867b79cab56cd7326bca32378171b072273a9735d7a153a76208aba4e8
Instruction ID: d6081b933984b20f012dad019c8e492bc3b6f9e9777f0750e465e0496bc732c8
Opcode Fuzzy Hash: 054f12867b79cab56cd7326bca32378171b072273a9735d7a153a76208aba4e8
Instruction Fuzzy Hash: 021115B1904748CFDB10DF9AD448BDEBBF4EB48368F248419E519A7600D374A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F9AECF Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00F9AF25

Memory Dump Source

Source File: 00000001.00000002.509383242.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f90000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a0695f7d5bca9586f98948ba4ca6fa6511e1c96665b877e6a432b8cd191e6f03
Instruction ID: fbd559550447a372187cb8349fae677f3d0f13bd02e03859573b6136effef4a9
Opcode Fuzzy Hash: a0695f7d5bca9586f98948ba4ca6fa6511e1c96665b877e6a432b8cd191e6f03
Instruction Fuzzy Hash: D01127B5D04248CFCB10CFA9D448BDEBFF4EB48368F14841AD419A7640C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B800 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

P@tk, xrefs: 00C2B887

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: P@tk
API String ID: 0-199252316
Opcode ID: 24c50c222a6e249c95cd5498b21cfddc7eb74458535af3279112fc56aa518815
Instruction ID: e92bb90ff5b5376b1f0b869f2dab8d14f172a56e5855103a68b3fbf06a855cb7
Opcode Fuzzy Hash: 24c50c222a6e249c95cd5498b21cfddc7eb74458535af3279112fc56aa518815
Instruction Fuzzy Hash: A231E171B002158FCB04AF74E8146AFBBF2EF89344B148469D40AEB7A5DF349D46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B810 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

P@tk, xrefs: 00C2B887

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: P@tk
API String ID: 0-199252316
Opcode ID: c02885b4ef5d9f7fef7c16eda33566f67adbee40ebd7a78efc4e637056fa2a14
Instruction ID: 371565a2ff588a14a8753468227e2c8c1eafd969afe810946c9a9451b4905d38
Opcode Fuzzy Hash: c02885b4ef5d9f7fef7c16eda33566f67adbee40ebd7a78efc4e637056fa2a14
Instruction Fuzzy Hash: AB31BE71B042158FCB04AF74D8146AEBBF6EF89344B148469D40AEB7A4DF349D068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2DC78 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

XcDl, xrefs: 00C2DCFC

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: XcDl
API String ID: 0-3044878938
Opcode ID: aa6d29b19c33cd345b1417cee7f5d3d1aba0ddeb90df9a6f88b63d5875aba712
Instruction ID: 31f24374c02146d82e9d24d3c50fe57f056bf3deddfac1c64d2a33a9bb2382e5
Opcode Fuzzy Hash: aa6d29b19c33cd345b1417cee7f5d3d1aba0ddeb90df9a6f88b63d5875aba712
Instruction Fuzzy Hash: 3011C231B005248FDB14EE29E448B69B7A2EBE4721F248525E92B8B740DB70ED41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BAB0 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7163d15699ad3cba0e45d4d86b7dcbc53e7ce6773a7eb6a5de0820837be7133b
Instruction ID: fd52ac2e206a37dc788cd94f81ab1c626c7f50b018553b7a1a95f07dec541085
Opcode Fuzzy Hash: 7163d15699ad3cba0e45d4d86b7dcbc53e7ce6773a7eb6a5de0820837be7133b
Instruction Fuzzy Hash: C1427C30A002248FDB24DF68E5886ADB7F2FF49314F148869E41ADBB95DB35DD86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C2EE00 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ed873671b98faf7b89792468f4795be91fe0f1d8d5a397ec23442b8cec517e
Instruction ID: 3fe4b3005565620b7f78832ccd9bcf4289f84c385f39180d209cde37833a2d19
Opcode Fuzzy Hash: 46ed873671b98faf7b89792468f4795be91fe0f1d8d5a397ec23442b8cec517e
Instruction Fuzzy Hash: E912DC30B043198FDB14AB74E8586AE7BF2AF85304F148479E54ADB7A6EB74CD06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AB70 Relevance: .6, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc731199f036971d46b07fa8a58fb6961b4d5b6b3d56847f5d5bf33cb205f72b
Instruction ID: dda6b4d6febb86af0e7ea977c392b00436cad7a36ba802c28e5b47521a27304c
Opcode Fuzzy Hash: bc731199f036971d46b07fa8a58fb6961b4d5b6b3d56847f5d5bf33cb205f72b
Instruction Fuzzy Hash: 1E228174A002148FCF14EFB8E8446ADBBB2FF89305F118569E509EB7A4DB349D46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C22D50 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1577a76767ab17502287ce9631ae0261f15e19ef1cfb499c147ce831790bcea2
Instruction ID: 8fb84903d782c0c7fd36c9e273d18bf7272362e3246fcfc45da4536cc3416ead
Opcode Fuzzy Hash: 1577a76767ab17502287ce9631ae0261f15e19ef1cfb499c147ce831790bcea2
Instruction Fuzzy Hash: 3B226C30A00269DFCB14CF69E884A9EBBF2FF48314F158559E955DBAA1CB34EE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C232D8 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02405226b42e7bab701059a1a865c1f4a69118e81a61df010a61c6d87275aa7
Instruction ID: d6a94df4b896577e77967dd12f670af94467cc611c6ac1bc916db33463b0b2dc
Opcode Fuzzy Hash: f02405226b42e7bab701059a1a865c1f4a69118e81a61df010a61c6d87275aa7
Instruction Fuzzy Hash: 22028A74A00165DFCB14CF68E588AAEBBF2FF88300F258555F4199B6A1C738EE41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B330 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3adf3757d11344d627337c945902e3d634959d0e6aed0d49bc4d8be2c29928
Instruction ID: 9f5ceea2635574156fb1b692cfc06f3f84912266b9f6d0673c1ed99f370d5a7b
Opcode Fuzzy Hash: da3adf3757d11344d627337c945902e3d634959d0e6aed0d49bc4d8be2c29928
Instruction Fuzzy Hash: E4E1B170B0D3954FD712973898557AA7FF29B96304F1A80F6D588CB693EB38DC0A8712

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C1B8 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6557e22169b6b1d7b0b60e32c38fd46f648354d6576e5693a16ea5a5d0e65ff
Instruction ID: 872493b5366910735f9c72636755202988eea5570b83cdc2c00d3543fbf18516
Opcode Fuzzy Hash: a6557e22169b6b1d7b0b60e32c38fd46f648354d6576e5693a16ea5a5d0e65ff
Instruction Fuzzy Hash: ECE15A70A00620CFC724EB68E5996ADB7F2FF88315F148869E41ADBB90DB35ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C24C78 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a06533ca2e51399d66c5f347eb994499d11a185d488b550d84d31243c41daa
Instruction ID: b51e7dcd631b271e3e17cb9ebae20228224468c6215009b1561e4b1a575b3fb8
Opcode Fuzzy Hash: 22a06533ca2e51399d66c5f347eb994499d11a185d488b550d84d31243c41daa
Instruction Fuzzy Hash: 1DD10976A00524CFCB18CFA9E584DADBBF6BF88311F1680A9E515AB761CB70EC41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C24B58 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b0604922baae2e254ec912090f95839f4ef77a93711ac1dd383e4e51fd907c
Instruction ID: fbd79c516f0223e5c6a855baa7a74344151b14b615b39083c75fa3b73e1d7739
Opcode Fuzzy Hash: d4b0604922baae2e254ec912090f95839f4ef77a93711ac1dd383e4e51fd907c
Instruction Fuzzy Hash: 0EC1E971E006288FCB18CFA9E58499DBBF6BF88311F168095E515AB761DB30ED42CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C22D40 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7146090babbe31afd03a56024c4d4625864425fd0aa901d748090726e83a64d5
Instruction ID: 4da59fac1815c069a04f929648a5df7fe3f2519960d14c567755942cf48b75fb
Opcode Fuzzy Hash: 7146090babbe31afd03a56024c4d4625864425fd0aa901d748090726e83a64d5
Instruction Fuzzy Hash: 4BC17A30A002699FCB14CFA9E984A9EBBF2FF48304F158559E855EB761D734EE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2E8F8 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be59c01196c79c3e6ea134e08f47cc24b4bed4c0f0555c7d8b3ecd9066b9983d
Instruction ID: f1fbcff35fd03055845868f6e0653e5b8a30e3ae144c14672bb9ee8ef2ffc17f
Opcode Fuzzy Hash: be59c01196c79c3e6ea134e08f47cc24b4bed4c0f0555c7d8b3ecd9066b9983d
Instruction Fuzzy Hash: 81919F30A003198FDB14EFB4E8556ADBBF2EF89304B148869D906EB794DF349D46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C21830 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e40d9c89b799b2e4c2f14ad939fa7870f8d85171279f25baf2700244851878
Instruction ID: 5caa548aa8f8a4e0c03e865211fcffe59c611ff3252308f0faa7ae9e3ff4d587
Opcode Fuzzy Hash: 17e40d9c89b799b2e4c2f14ad939fa7870f8d85171279f25baf2700244851878
Instruction Fuzzy Hash: A77143317042208FDB58AB29D49473E77E2AFD9344F198429E946CB795DF31DD42C790

Uniqueness

Uniqueness Score: -1.00%

Function 00C23AC8 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ad006538c90d32cb064901c2f5e8191c7772c61f26d28000ec6a3b8d61a1cf
Instruction ID: 6bd1be0f46e86d72682de0bb4b42e06028543bdd58debda1c0bb2e2bbee9dcdd
Opcode Fuzzy Hash: 03ad006538c90d32cb064901c2f5e8191c7772c61f26d28000ec6a3b8d61a1cf
Instruction Fuzzy Hash: 3151E2347141A58FCB14DF3EE884A6ABBE9FF48700B1540AAE916CB761DB39DE01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B9E0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a251a74812c43e4f6ceb6b99ebaafc5cfd96fe113e095a4745b8820911a68b
Instruction ID: 09c00c6f4070398183d330f4f7790470cb68d5a4d3b90a0b371091c91864bcff
Opcode Fuzzy Hash: 18a251a74812c43e4f6ceb6b99ebaafc5cfd96fe113e095a4745b8820911a68b
Instruction Fuzzy Hash: C4512570E093598FCB01EBB8D9456AEBFF2AF55300F1584AAD108EB683E7349D05C791

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B118 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3509f5c53e07b1c68ab31f5da2a620085c2079e05c1c83d8c273a3810bae9eea
Instruction ID: 1d3662c0649ddc5c5c3e1b43e0d893803401deaad70ff4c7ec16424dcbfadf6a
Opcode Fuzzy Hash: 3509f5c53e07b1c68ab31f5da2a620085c2079e05c1c83d8c273a3810bae9eea
Instruction Fuzzy Hash: 1D51C978E003188FCF50EFA8D88559DBBB5FF5A305B508965D809E77A8EB345906CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C216C8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93678e7805227c360f1e1c105f65788f45c8b0e9575928dbecefe89bca772d9f
Instruction ID: da370b95870719a712caf3c21952ea712ac0d574c7a60241c97db19c40d71a93
Opcode Fuzzy Hash: 93678e7805227c360f1e1c105f65788f45c8b0e9575928dbecefe89bca772d9f
Instruction Fuzzy Hash: C041BC356082249FDB568F24E844BAA7BF2EBC8704F198418E906CB790DB74CD11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2CDA0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d75a6c3f1669f4161ecc80f4779b18e3d92bc0bbb48e56c4deb601c2f192cf
Instruction ID: 57314240bd2133942d385459f8eea07c13df89f3cf221f80aa0eb68d523f88c6
Opcode Fuzzy Hash: 11d75a6c3f1669f4161ecc80f4779b18e3d92bc0bbb48e56c4deb601c2f192cf
Instruction Fuzzy Hash: 57412C74E002289BDB54EF79D895BDEB7F6EF89300F0044A9E509AB380DB319E418F50

Uniqueness

Uniqueness Score: -1.00%

Function 00C238D8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab84b482b6579d7ba0bb032f0a226c2e3a934c747a926e520fd782ac40baa7d6
Instruction ID: 373f253287b32855baddfbc941aae2c5464a824c8b2b480c14bf43b2df4faf7f
Opcode Fuzzy Hash: ab84b482b6579d7ba0bb032f0a226c2e3a934c747a926e520fd782ac40baa7d6
Instruction Fuzzy Hash: EA414B747001598FCB14AF69E888BAA7BB5FF89315F100069F9168B370CB75DE81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C214A8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c9ea34cdedfe6e7c30e29d4e44b673d64f8394cae6c42c624fd6085a826931
Instruction ID: e995a866ab16c7d623de1ed81bf14dd6b2e998953935f4de79add55bcc04d7c3
Opcode Fuzzy Hash: 36c9ea34cdedfe6e7c30e29d4e44b673d64f8394cae6c42c624fd6085a826931
Instruction Fuzzy Hash: E941D931700219DFCF459F59E854ABE7BE6EFA8300F088065FE1A87251DB35CE629B50

Uniqueness

Uniqueness Score: -1.00%

Function 00C249B0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f8b0df6d928b213d6293cf14ee72ac2655ea503c709a5c05fc31f609e9fb66
Instruction ID: 619dae703b003a6d0b5f8444c8f2ac8c6982f183418efeda70dd915225363f1d
Opcode Fuzzy Hash: c4f8b0df6d928b213d6293cf14ee72ac2655ea503c709a5c05fc31f609e9fb66
Instruction Fuzzy Hash: 0A31EF31B442149FDB48AB68D854BAE7BB6EFC8310F154069E60AEB391CF309C15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C23D08 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f9c02049ef1a0714828ed19dd3929499b6a86abb6928b8499fc1cd140eab6f
Instruction ID: 4197aa6a3b2441b4bfe710a173c72ea8aba846b0b372fab84fda63b42ea61f85
Opcode Fuzzy Hash: 74f9c02049ef1a0714828ed19dd3929499b6a86abb6928b8499fc1cd140eab6f
Instruction Fuzzy Hash: AF2129323143694BDB152735A89427E3B9B9FC5718F194039DA12DFB94DE2DCE029782

Uniqueness

Uniqueness Score: -1.00%

Function 00C23D18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e487b54ca85d98427db9c8b6126a2723efd6c530590f2b85316191ac6c704f
Instruction ID: 45e3d0d7ad71c3645bb19e95e99376c747db68bf454d16ad0a717f241366e74f
Opcode Fuzzy Hash: 41e487b54ca85d98427db9c8b6126a2723efd6c530590f2b85316191ac6c704f
Instruction Fuzzy Hash: 7621F6313143684BEF156625E49477E3A9BDFC4718F258039DA12CFB94DE2DCE429782

Uniqueness

Uniqueness Score: -1.00%

Function 00C23C10 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73a2dfe0e8967077b6a6fd91af76a2962c350844576615ca063fe52ac228e81
Instruction ID: 42191e7404c2e389b874e33821f60a6ee211efdbde141593148eb54abdf6465c
Opcode Fuzzy Hash: d73a2dfe0e8967077b6a6fd91af76a2962c350844576615ca063fe52ac228e81
Instruction Fuzzy Hash: A221B1317042A98FDB04CE26FC8066B7BEAEB85310F154626E912DB654DB39CF01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C728 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761ab06d3e2f67568354cf8c8071bc9e4caac9042ee35272589b25a463be4e14
Instruction ID: 81569e9c5077c149997268018b266fb3a02a5f6d35d409e7f2f318008d96fe0c
Opcode Fuzzy Hash: 761ab06d3e2f67568354cf8c8071bc9e4caac9042ee35272589b25a463be4e14
Instruction Fuzzy Hash: 1721B334B042288FCB41EB7CE845AAE77F6EF89300F158065D50DE7795EB349D068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C21627 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa93fa9f8e508618e82893ba0d4c210f745477d473863377997af587eb0ca5f
Instruction ID: cd55aa313431e43a9d3ad105d221b500a01fa1ad89c4eee5a99d792aea60ae99
Opcode Fuzzy Hash: daa93fa9f8e508618e82893ba0d4c210f745477d473863377997af587eb0ca5f
Instruction Fuzzy Hash: 3F113A32B042255FDB469E6978106FF3BABCBD8790F1C802AFA15C7280DE31CD128791

Uniqueness

Uniqueness Score: -1.00%

Function 00C219E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0250de1d5daacb190d5310818f0bb4236caeefd542d70e39b870b41f3c1ef2a6
Instruction ID: 5120737a171ffe62c16782d97e9c77594e12385bb3f64c3e5ae4eb5d64516b54
Opcode Fuzzy Hash: 0250de1d5daacb190d5310818f0bb4236caeefd542d70e39b870b41f3c1ef2a6
Instruction Fuzzy Hash: 32113632701621CFC7199A29E85463AB7A6FF99390B1D4479ED06CB750CF30DC02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C22608 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe05914e4cad6dd587a0ab207e11fdaafbfe5dbeae50c8b57876a278826f47c
Instruction ID: a767e545aba4e8a330c9cc3f83c2b5829bfad8acc8b401487c5b2bf3b247a4d6
Opcode Fuzzy Hash: 7fe05914e4cad6dd587a0ab207e11fdaafbfe5dbeae50c8b57876a278826f47c
Instruction Fuzzy Hash: A521AF32900218EFDB20CF54E844BAABBF6EF48310F04856AF5599BA51D775ED58CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A850 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bdc1344f91bd5be41ff5f963b3269bf4b6d0fe905c4138ad1ccfc20a49be016
Instruction ID: a0da8c22c7f457dd4ffad2e43ead94d18cf4c7aa0584af99db6a380ff60e01fd
Opcode Fuzzy Hash: 6bdc1344f91bd5be41ff5f963b3269bf4b6d0fe905c4138ad1ccfc20a49be016
Instruction Fuzzy Hash: C721E3B19042299BCB00CF9AD884BDEFBB4FB48324F10812AE518B7640D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2C658 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbd9f68e7d69c8a39e4e6dbbe857670ec7bf7630fc5d2b86bf5363acce67ad2
Instruction ID: fe82a92ed0f7b6c728bbdca4d8ba3d7d39e6ee31cbe36818e0a7cd1d4eb9f0f2
Opcode Fuzzy Hash: 9fbd9f68e7d69c8a39e4e6dbbe857670ec7bf7630fc5d2b86bf5363acce67ad2
Instruction Fuzzy Hash: 50111E35F002289F8B50EB7DD8459AEB7F5FF89710B508429E50DE7B54EB349D028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A698 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adff7f17396cf3130c49b14b46b47410dfe0f9a0758d058734e769db8f67de1e
Instruction ID: 7f3d0af5f63d0b9a23e9de7865152187d12d8d780eb6aebc12df453422605ac8
Opcode Fuzzy Hash: adff7f17396cf3130c49b14b46b47410dfe0f9a0758d058734e769db8f67de1e
Instruction Fuzzy Hash: 02F0A7B6E182555FC750DBB99C092AEBFF8AB89610F0504BED50DD3240EB744A018BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A6A8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd3f3ac5a0f5344dccc6d6418fd5c72f183e6b2d9f16e5649ea2d0fca46f29d
Instruction ID: 7230d29b0052da439b9a2c245629e900e1532423bdad2c1ff703aaed27e41ac8
Opcode Fuzzy Hash: ebd3f3ac5a0f5344dccc6d6418fd5c72f183e6b2d9f16e5649ea2d0fca46f29d
Instruction Fuzzy Hash: D4E01275E042159F47409BADA8055AE7BF8EB88611B14017AE51DD3300EB7049118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B7A1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56cc08d9559a0b483b0943f1259075c8fb1d8a1995c865cb578f61f108e73ed5
Instruction ID: 8e382218825726c8b0d5a883a09d302a3860e836a41145f2d8a57f84e60a76c3
Opcode Fuzzy Hash: 56cc08d9559a0b483b0943f1259075c8fb1d8a1995c865cb578f61f108e73ed5
Instruction Fuzzy Hash: C4E0C939B141258F8F45EBBDE8884ED77F5FB88215B004065E64AE7794EE389C02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C21D70 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c27eabd4f693aadb136c39b9db469416f60ed72110cc11149a32b41c11bcfe5
Instruction ID: a25df58e9cedc96fc845d221193047198a96b4e2c9296aa422519792d0a3ed4b
Opcode Fuzzy Hash: 6c27eabd4f693aadb136c39b9db469416f60ed72110cc11149a32b41c11bcfe5
Instruction Fuzzy Hash: 32D05E3244C3154ADBD4BBF4E842776375A8BA0208B40CD62F2894926EDAB866474B99

Uniqueness

Uniqueness Score: -1.00%

Function 00C24A5D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545b17dadfa5b58d0d8d4f842d1bd0d136ca21540aee31066172cd9004e4e987
Instruction ID: 5f29fd7ae66c85fe3bf242b7bd7f0cc5aa83371ecc8cc355a4f7666b331539f7
Opcode Fuzzy Hash: 545b17dadfa5b58d0d8d4f842d1bd0d136ca21540aee31066172cd9004e4e987
Instruction Fuzzy Hash: BCD0673AB10118DF9B059F98E8408DDF77AFB98325B058116FA15A7265C6319921DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C21D80 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9448ba51f991c5e6436ee0afc4852e2f367157eeaf22773abfb4f2c0b2ebfe08
Instruction ID: c5e28f9f2d78121fbe284edc40c292d9fc6f3b6e311f3c83460db3248f7453c0
Opcode Fuzzy Hash: 9448ba51f991c5e6436ee0afc4852e2f367157eeaf22773abfb4f2c0b2ebfe08
Instruction Fuzzy Hash: 8DC0123010C3154A8A94BB75E842926335EDAD0208340CD32E1495917EDF7166064795

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C21F60 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

?l, xrefs: 00C21F76
?l, xrefs: 00C21F6C
?l, xrefs: 00C21F9E
?l, xrefs: 00C21F92

Memory Dump Source

Source File: 00000001.00000002.506332573.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ?l$?l$?l$?l
API String ID: 0-825565553
Opcode ID: e3f5d91e5c5e6defa9aab0693bf544b30824ec6dcf209fc7cd007cf5ad86a249
Instruction ID: 868995231d3145476ee75965f04f5248b97268958f0ab3a19142184fbb0227d8
Opcode Fuzzy Hash: e3f5d91e5c5e6defa9aab0693bf544b30824ec6dcf209fc7cd007cf5ad86a249
Instruction Fuzzy Hash: 96018839B101258FCB148AAFD14092A73D5BFA9760319417AF931CB770DB70DD42C791

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.3512.499.exePID: 3916, Parent PID: 3320

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.3512.499.exe

Function 00E7B760 Relevance: 6.2, APIs: 4, Instructions: 150
threadCOMMON

Function 00E7B770 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 070FBE30 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00E79470 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Function 00E7FDCD Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Function 00E7FDD8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 00E75365 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00E73E4C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 070FBB18 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 00E7B992 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 070FBC38 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 070FB890 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Function 00C4C8C0 Relevance: 1.7, APIs: 1, Instructions: 172
libraryCOMMON

Function 010E6940 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 00C2D938 Relevance: 3.0, Strings: 2, Instructions: 496
COMMON