Edit tour

Windows Analysis Report
WOOYANG VENUS PARTICULARS.pdf.scr.exe

Overview

General Information

Sample name:	WOOYANG VENUS PARTICULARS.pdf.scr.exe
Analysis ID:	1562838
MD5:	93e502520786ba056be0b8a02c30ffd9
SHA1:	a6b1c8eea0ee256fd502d7ee63db9d6e4a76b71b
SHA256:	59e8919a70ecf74746e7bac52469b520a8a4fa929e8fa8171e22342d8dc4e1d6
Tags:	AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

WOOYANG VENUS PARTICULARS.pdf.scr.exe (PID: 6500 cmdline: "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe" MD5: 93E502520786BA056BE0B8A02C30FFD9)

powershell.exe (PID: 7032 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WOOYANG VENUS PARTICULARS.pdf.scr.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe" MD5: 93E502520786BA056BE0B8A02C30FFD9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4131473749.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1704633331.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4131473749.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4131473749.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 6500	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 6500	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 6500	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 7068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 7068	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.55f0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.55f0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x312d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31345:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x313cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31461:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x314cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3153d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x315d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31663:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6c6:$s2: GetPrivateProfileString 0x2ddc5:$s3: get_OSFullName 0x2f403:$s5: remove_Key 0x2f592:$s5: remove_Key 0x30473:$s6: FtpWebRequest 0x312b5:$s7: logins 0x31827:$s7: logins 0x3450a:$s7: logins 0x345ea:$s7: logins 0x35ee6:$s7: logins 0x35184:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x312d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31345:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x313cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31461:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x314cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3153d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x315d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31663:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6c6:$s2: GetPrivateProfileString 0x2ddc5:$s3: get_OSFullName 0x2f403:$s5: remove_Key 0x2f592:$s5: remove_Key 0x30473:$s6: FtpWebRequest 0x312b5:$s7: logins 0x31827:$s7: logins 0x3450a:$s7: logins 0x345ea:$s7: logins 0x35ee6:$s7: logins 0x35184:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6d4f3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6d565:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6d5ef:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6d681:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6d6eb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6d75d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6d7f3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6d883:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304c6:$s2: GetPrivateProfileString 0x6a8e6:$s2: GetPrivateProfileString 0x2fbc5:$s3: get_OSFullName 0x69fe5:$s3: get_OSFullName 0x31203:$s5: remove_Key 0x31392:$s5: remove_Key 0x6b623:$s5: remove_Key 0x6b7b2:$s5: remove_Key 0x32273:$s6: FtpWebRequest 0x6c693:$s6: FtpWebRequest 0x330b5:$s7: logins 0x33627:$s7: logins 0x3630a:$s7: logins 0x363ea:$s7: logins 0x37ce6:$s7: logins 0x6d4d5:$s7: logins 0x6da47:$s7: logins 0x7072a:$s7: logins 0x7080a:$s7: logins 0x72106:$s7: logins 0x36f84:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x256ea3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2912c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x256f15:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x291335:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x256f9f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x2913bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x257031:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x291451:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x25709b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x2914bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x25710d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x29152d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2571a3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2915c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x257233:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x291653:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x254296:$s2: GetPrivateProfileString 0x28e6b6:$s2: GetPrivateProfileString 0x253995:$s3: get_OSFullName 0x28ddb5:$s3: get_OSFullName 0x254fd3:$s5: remove_Key 0x255162:$s5: remove_Key 0x28f3f3:$s5: remove_Key 0x28f582:$s5: remove_Key 0x256043:$s6: FtpWebRequest 0x290463:$s6: FtpWebRequest 0x256e85:$s7: logins 0x2573f7:$s7: logins 0x25a0da:$s7: logins 0x25a1ba:$s7: logins 0x25bab6:$s7: logins 0x2912a5:$s7: logins 0x291817:$s7: logins 0x2944fa:$s7: logins 0x2945da:$s7: logins 0x295ed6:$s7: logins 0x25ad54:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x10e89:$s1: file:/// 0x10de5:$s2: {11111-22222-10009-11112} 0x10e19:$s3: {11111-22222-50001-00000} 0xf1b3:$s4: get_Module 0x253cb6:$s5: Reverse 0x28e0d6:$s5: Reverse 0x256656:$s6: BlockCopy 0x290a76:$s6: BlockCopy 0x2d4130:$s6: BlockCopy 0x253f1b:$s7: ReadByte 0x28e33b:$s7: ReadByte 0x2d3fbe:$s7: ReadByte 0x10e9b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe, ParentProcessId: 6500, ParentProcessName: WOOYANG VENUS PARTICULARS.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe", ProcessId: 7032, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe, ParentProcessId: 6500, ParentProcessName: WOOYANG VENUS PARTICULARS.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe", ProcessId: 7032, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Multi AV Scanner detection for submitted file

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe	ReversingLabs: Detection: 28%
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe	Virustotal: Detection: 33%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Joe Sandbox ML: detected

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 0760B6ADh		0_2_0760AE7E
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 0760B6ADh		0_2_0760ACD8

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 50.87.144.157 50.87.144.157
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: beirutrest.com

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4131473749.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://beirutrest.com
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1700278484.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4131473749.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705020985.0000000005674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com;c
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4131473749.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4131473749.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4131473749.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, n00.cs	.Net Code: lGCzgIzdr
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack, n00.cs	.Net Code: lGCzgIzdr

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_0118DE34	0_2_0118DE34
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_074B0460	0_2_074B0460
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_074BBAC8	0_2_074BBAC8
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_074B80E8	0_2_074B80E8
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_074B70A0	0_2_074B70A0
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_074B0452	0_2_074B0452
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_074BB3C9	0_2_074BB3C9
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_074BB3D8	0_2_074BB3D8
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_0760D4B0	0_2_0760D4B0
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_07608368	0_2_07608368
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_07608378	0_2_07608378
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_076070C7	0_2_076070C7
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_076070D8	0_2_076070D8
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_07608D28	0_2_07608D28
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_07606CA0	0_2_07606CA0
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 0_2_07606868	0_2_07606868
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_00F6E5B8	3_2_00F6E5B8
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_00F6AA9B	3_2_00F6AA9B
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_00F64A58	3_2_00F64A58
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_00F6DD38	3_2_00F6DD38
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_00F63E40	3_2_00F63E40
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_00F64188	3_2_00F64188
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_068F8970	3_2_068F8970
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_068FB5F8	3_2_068FB5F8
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_06907D80	3_2_06907D80
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_069055A0	3_2_069055A0
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_069065F0	3_2_069065F0
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_0690B238	3_2_0690B238
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_06903060	3_2_06903060
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_0690C190	3_2_0690C190
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_069076A0	3_2_069076A0
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_06905CE3	3_2_06905CE3
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_0690E3A8	3_2_0690E3A8
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_06900040	3_2_06900040
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_06900007	3_2_06900007
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_06900557	3_2_06900557

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1706420708.00000000078F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1698370586.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000000.1672449991.00000000008F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesEOq.exe" vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1700278484.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1704633331.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4130367868.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs WOOYANG VENUS PARTICULARS.pdf.scr.exe
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe	Binary or memory string: OriginalFilenamesEOq.exe" vs WOOYANG VENUS PARTICULARS.pdf.scr.exe

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.55f0000.5.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, FDcg2RCaA8XH7sPHad.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, FDcg2RCaA8XH7sPHad.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, ednP2uRQ6bwR5K5WiS.cs	Security API names: _0020.SetAccessControl
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, ednP2uRQ6bwR5K5WiS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, ednP2uRQ6bwR5K5WiS.cs	Security API names: _0020.AddAccessRule
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, ednP2uRQ6bwR5K5WiS.cs	Security API names: _0020.SetAccessControl
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, ednP2uRQ6bwR5K5WiS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, ednP2uRQ6bwR5K5WiS.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/6@2/2

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WOOYANG VENUS PARTICULARS.pdf.scr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzxq2erv.acj.ps1

Jump to behavior

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe	ReversingLabs: Detection: 28%
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe	Virustotal: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process created: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process created: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.55f0000.5.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, ednP2uRQ6bwR5K5WiS.cs	.Net Code: kOMI79lcc0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, ednP2uRQ6bwR5K5WiS.cs	.Net Code: kOMI79lcc0 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_00F6A9E0 push eax; iretd	3_2_00F6AA99
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_00F60C6D push edi; retf	3_2_00F60C7A
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Code function: 3_2_00F60C45 push ebx; retf	3_2_00F60C52

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Static PE information: section name: .text entropy: 7.7396529152476745

Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, x6MI3bL9JnM4ysvp1q.cs	High entropy of concatenated method names: 'FrG7U5kDs', 'NVMvXnP23', 'NcVhkuQGi', 'XsnxnwvSN', 'SOQ1DXnlh', 'eBk3mXGX7', 'T5p2GQgj6tXoDx9NoL', 'lRp0hsMpRk0hsNrVCX', 'FNHFloN2U', 'BBuZA8E8q'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, y2axF64XliayokbmOBE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K8yZMPLMAk', 'LRtZptkpG5', 'sivZD18RFL', 'WbMZtFAAAV', 'nHeZK6IO60', 'xqCZVrs2qg', 'cuqZyRUYAp'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, R6OCLWIVEjfKnIvDsp.cs	High entropy of concatenated method names: 'op34aDcg2R', 'kA84RXH7sP', 'viO4958VDl', 'HZl4grgY9X', 'rI840KOUmA', 'pNM4b35nr5', 'UYfJIjCoX6Vv1NWQxO', 'YZGicKZCXZ1uFGa09B', 'BGV449SM54', 'So84eVRbY3'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, Quxh1Y4LT6uNojY2D5q.cs	High entropy of concatenated method names: 'ToString', 'uKwcCGpYi4', 'PMoc1UtQmY', 'algc3KJIdk', 'nCyckP4QgK', 'pcdcsbco3t', 'pVpc2CFR6l', 'GsQcrqp18f', 'AjD4CawNtvpBIPONqyo', 'iMt88LwpuvT4e3EgHS7'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, FDcg2RCaA8XH7sPHad.cs	High entropy of concatenated method names: 'oxyYtfXZua', 'mXpYKpuNQ1', 'sUlYVefqLR', 'uJYYyRNivI', 'jNcYuqZePL', 'WoJYHxwk61', 'DhcYnGUlj2', 'AbFYBFatt6', 'SXmYJXmt0e', 'JflYih5qVN'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, TX8BQ9AwYGvUBe7b0y.cs	High entropy of concatenated method names: 'j2EafIF1i2', 'yQnao9lL2b', 'pvlajr2Ec6', 'JgCjifTcyd', 'UQdjzxNr0Z', 'dKWaXUVv6e', 'wSDa4D88Ff', 'Lg6aLdBZFU', 'Yatae47ly9', 'Y3iaIW96sA'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, pwrGgODa2OMnCWGC16.cs	High entropy of concatenated method names: 'WSa8CRMMaU', 'gBx81cRCPp', 'aBM8kkQy1Q', 'XTf8s00fE7', 'h6m8rHa75m', 'QXn86KFkd6', 'mX38AkmQbp', 'QEk8SroyX4', 'hy98lL6BXr', 'y0r8MDlOOC'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, xS0XmHYMS8G8nk62fP.cs	High entropy of concatenated method names: 'Dispose', 'FUg4JBdl2K', 'sD8LsRBm4G', 'bqMEqq4u70', 'ByE4iu63hx', 'Xc64z02iVs', 'ProcessDialogKey', 'GhWLXvKXeW', 'ObAL4pLy4J', 'i6jLLa4OTn'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, j4OTnai5IIqVAmsyv0.cs	High entropy of concatenated method names: 'OTFZoo0JWw', 'w0QZOq35dU', 'JByZjyUgUV', 'A79ZaQGvW9', 'kK8ZENUC3X', 'NbnZR0DJEc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, xvKXeWJMbApLy4Jj6j.cs	High entropy of concatenated method names: 'iPREkJCP58', 'oxEEsnSIiZ', 'bA0E2W1iF1', 'YDrErRtJ2r', 'uSFE6NjvGx', 'mgjEPgSKBp', 'rP0EA9B6CL', 'aL5ESBo14l', 'uIAEGpAs9s', 'X0IElipi3u'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, MKWVK6zPpEhGenqM4s.cs	High entropy of concatenated method names: 'zyVZhBnIrP', 'O5NZC7uZRt', 'MitZ1b2gb7', 'XW4Zk3K8Xa', 'It4ZstMTD2', 'DCZZrSlbX9', 'RlsZ6QSFUQ', 'zL5ZWtcxtQ', 'CaFZw7ZfKU', 'N3HZU5y0xv'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, ApJ2WT1iO58VDlsZlr.cs	High entropy of concatenated method names: 'h4HovCNr62', 'jDVoh7cDYH', 'zg4oCGJGyX', 'RWxo198m8b', 'uISo0VCe6B', 'bGVobKWHsW', 'Uy4oNwRfdg', 'fAuoFwysEx', 'zfqoE9ZKlm', 'm4loZXgUdN'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, ednP2uRQ6bwR5K5WiS.cs	High entropy of concatenated method names: 'sf2emh2Gpc', 'S2CefUaXSj', 'MEXeYVcwBD', 'VRseo2bX9Q', 'CEqeOJgBmO', 'qDXejD1HK9', 'EwAeaob4Mu', 'o9aeRPGyBJ', 'LXjed1OB0X', 'YZUe9neDX5'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, QDq5eTnKt3UgBdl2Kh.cs	High entropy of concatenated method names: 'imPE0E0O8m', 'SpNEN6rXcj', 'JHXEEg6NeS', 'AkeEchGDWN', 'wuJETblI96', 'YGQEW5sd0a', 'Dispose', 'yH7FfhCvyL', 'Un6FYFdKvf', 'K1BFokQF8L'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, plqWmM4I6jJSl038LyL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gAQqEyDf0Y', 'TUaqZxpIxx', 'RkXqcAuJuh', 'QUeqqsNq68', 'yIIqTRCmkx', 'M6iqQ3pBFn', 'lByqWaiUXH'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, ymAbNMk35nr5csCaZc.cs	High entropy of concatenated method names: 'd1CjmIFxlt', 'T5wjYrKcxg', 'n5WjO7A5sA', 'rR9jaJbgJV', 'TgKjRudc73', 'ROBOuupaGa', 'LI3OHeyIL7', 'hMEOn838EV', 'LH6OBoH41H', 'gDQOJmW3Gn'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, codNXnGtklSpgOcKdm.cs	High entropy of concatenated method names: 'rJIawcRx7P', 'BrPaUZbvVB', 'Su0a7VZ4Ht', 'lkhavS5j07', 'xHKa5CKUpH', 'jRrahl2QiY', 'tpsax5BJqF', 'LhqaCuy7IB', 'lIia1jg84U', 'HK2a3L0DAh'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, tGSWw7tesx26cQdf1f.cs	High entropy of concatenated method names: 'C980lOGRqX', 'sVe0pM4iMT', 'tox0tyFaNW', 'sko0Ke7yTN', 'f7q0siTvFv', 'kWO02U4hRT', 'gxR0roK6Mw', 'chO06A7IbX', 'rXn0PhasJa', 'Enl0A77QmQ'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, mY9XLi3SKxOZYEI8KO.cs	High entropy of concatenated method names: 'RpNO5bKeyd', 'fxvOxY43ja', 'jgjo2FFXJQ', 'CyQortX83a', 'Dqdo6mFgjc', 'HOtoPF8Pj3', 'HlRoAXnTta', 'WcYoSpqSdq', 'hhMoGgkLq7', 'FE4olxI695'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, n5GDGTHUMZRpDh3i5i.cs	High entropy of concatenated method names: 'gMvNBDmtdQ', 'BI3Nirm8Tw', 'DDZFXmW3Eb', 'ByNF4TeXXp', 'OY8NMdupaq', 'iHrNpqJGwp', 'olXNDXAXv1', 'n1DNtUF3pC', 'caJNKhth8s', 'eWqNVX4hWo'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, v0K5lPVAwSPMMBKDPO.cs	High entropy of concatenated method names: 'ToString', 'Kq6bMNxlHh', 'b4SbsrgVJl', 'fyvb23FR6s', 'LZ6brqIrvZ', 'dStb6nq3yS', 'feqbPodny2', 'j0ZbAvnaZg', 'z5QbSOS5K6', 'yndbGmplAd'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3ea8418.3.raw.unpack, NXVwKg44YhNq0Tjth17.cs	High entropy of concatenated method names: 'JP8ZibpGhI', 'yTkZzo94Zh', 'Vb4cXARYSu', 'Gcmc4IucVq', 'zWpcLLfkDi', 'fYcceKgMKe', 'wcLcIFNHZS', 'ma2cmrOQjn', 'TKCcfBHtK1', 'gE3cYwjENF'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, x6MI3bL9JnM4ysvp1q.cs	High entropy of concatenated method names: 'FrG7U5kDs', 'NVMvXnP23', 'NcVhkuQGi', 'XsnxnwvSN', 'SOQ1DXnlh', 'eBk3mXGX7', 'T5p2GQgj6tXoDx9NoL', 'lRp0hsMpRk0hsNrVCX', 'FNHFloN2U', 'BBuZA8E8q'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, y2axF64XliayokbmOBE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K8yZMPLMAk', 'LRtZptkpG5', 'sivZD18RFL', 'WbMZtFAAAV', 'nHeZK6IO60', 'xqCZVrs2qg', 'cuqZyRUYAp'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, R6OCLWIVEjfKnIvDsp.cs	High entropy of concatenated method names: 'op34aDcg2R', 'kA84RXH7sP', 'viO4958VDl', 'HZl4grgY9X', 'rI840KOUmA', 'pNM4b35nr5', 'UYfJIjCoX6Vv1NWQxO', 'YZGicKZCXZ1uFGa09B', 'BGV449SM54', 'So84eVRbY3'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, Quxh1Y4LT6uNojY2D5q.cs	High entropy of concatenated method names: 'ToString', 'uKwcCGpYi4', 'PMoc1UtQmY', 'algc3KJIdk', 'nCyckP4QgK', 'pcdcsbco3t', 'pVpc2CFR6l', 'GsQcrqp18f', 'AjD4CawNtvpBIPONqyo', 'iMt88LwpuvT4e3EgHS7'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, FDcg2RCaA8XH7sPHad.cs	High entropy of concatenated method names: 'oxyYtfXZua', 'mXpYKpuNQ1', 'sUlYVefqLR', 'uJYYyRNivI', 'jNcYuqZePL', 'WoJYHxwk61', 'DhcYnGUlj2', 'AbFYBFatt6', 'SXmYJXmt0e', 'JflYih5qVN'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, TX8BQ9AwYGvUBe7b0y.cs	High entropy of concatenated method names: 'j2EafIF1i2', 'yQnao9lL2b', 'pvlajr2Ec6', 'JgCjifTcyd', 'UQdjzxNr0Z', 'dKWaXUVv6e', 'wSDa4D88Ff', 'Lg6aLdBZFU', 'Yatae47ly9', 'Y3iaIW96sA'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, pwrGgODa2OMnCWGC16.cs	High entropy of concatenated method names: 'WSa8CRMMaU', 'gBx81cRCPp', 'aBM8kkQy1Q', 'XTf8s00fE7', 'h6m8rHa75m', 'QXn86KFkd6', 'mX38AkmQbp', 'QEk8SroyX4', 'hy98lL6BXr', 'y0r8MDlOOC'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, xS0XmHYMS8G8nk62fP.cs	High entropy of concatenated method names: 'Dispose', 'FUg4JBdl2K', 'sD8LsRBm4G', 'bqMEqq4u70', 'ByE4iu63hx', 'Xc64z02iVs', 'ProcessDialogKey', 'GhWLXvKXeW', 'ObAL4pLy4J', 'i6jLLa4OTn'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, j4OTnai5IIqVAmsyv0.cs	High entropy of concatenated method names: 'OTFZoo0JWw', 'w0QZOq35dU', 'JByZjyUgUV', 'A79ZaQGvW9', 'kK8ZENUC3X', 'NbnZR0DJEc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, xvKXeWJMbApLy4Jj6j.cs	High entropy of concatenated method names: 'iPREkJCP58', 'oxEEsnSIiZ', 'bA0E2W1iF1', 'YDrErRtJ2r', 'uSFE6NjvGx', 'mgjEPgSKBp', 'rP0EA9B6CL', 'aL5ESBo14l', 'uIAEGpAs9s', 'X0IElipi3u'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, MKWVK6zPpEhGenqM4s.cs	High entropy of concatenated method names: 'zyVZhBnIrP', 'O5NZC7uZRt', 'MitZ1b2gb7', 'XW4Zk3K8Xa', 'It4ZstMTD2', 'DCZZrSlbX9', 'RlsZ6QSFUQ', 'zL5ZWtcxtQ', 'CaFZw7ZfKU', 'N3HZU5y0xv'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, ApJ2WT1iO58VDlsZlr.cs	High entropy of concatenated method names: 'h4HovCNr62', 'jDVoh7cDYH', 'zg4oCGJGyX', 'RWxo198m8b', 'uISo0VCe6B', 'bGVobKWHsW', 'Uy4oNwRfdg', 'fAuoFwysEx', 'zfqoE9ZKlm', 'm4loZXgUdN'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, ednP2uRQ6bwR5K5WiS.cs	High entropy of concatenated method names: 'sf2emh2Gpc', 'S2CefUaXSj', 'MEXeYVcwBD', 'VRseo2bX9Q', 'CEqeOJgBmO', 'qDXejD1HK9', 'EwAeaob4Mu', 'o9aeRPGyBJ', 'LXjed1OB0X', 'YZUe9neDX5'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, QDq5eTnKt3UgBdl2Kh.cs	High entropy of concatenated method names: 'imPE0E0O8m', 'SpNEN6rXcj', 'JHXEEg6NeS', 'AkeEchGDWN', 'wuJETblI96', 'YGQEW5sd0a', 'Dispose', 'yH7FfhCvyL', 'Un6FYFdKvf', 'K1BFokQF8L'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, plqWmM4I6jJSl038LyL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gAQqEyDf0Y', 'TUaqZxpIxx', 'RkXqcAuJuh', 'QUeqqsNq68', 'yIIqTRCmkx', 'M6iqQ3pBFn', 'lByqWaiUXH'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, ymAbNMk35nr5csCaZc.cs	High entropy of concatenated method names: 'd1CjmIFxlt', 'T5wjYrKcxg', 'n5WjO7A5sA', 'rR9jaJbgJV', 'TgKjRudc73', 'ROBOuupaGa', 'LI3OHeyIL7', 'hMEOn838EV', 'LH6OBoH41H', 'gDQOJmW3Gn'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, codNXnGtklSpgOcKdm.cs	High entropy of concatenated method names: 'rJIawcRx7P', 'BrPaUZbvVB', 'Su0a7VZ4Ht', 'lkhavS5j07', 'xHKa5CKUpH', 'jRrahl2QiY', 'tpsax5BJqF', 'LhqaCuy7IB', 'lIia1jg84U', 'HK2a3L0DAh'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, tGSWw7tesx26cQdf1f.cs	High entropy of concatenated method names: 'C980lOGRqX', 'sVe0pM4iMT', 'tox0tyFaNW', 'sko0Ke7yTN', 'f7q0siTvFv', 'kWO02U4hRT', 'gxR0roK6Mw', 'chO06A7IbX', 'rXn0PhasJa', 'Enl0A77QmQ'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, mY9XLi3SKxOZYEI8KO.cs	High entropy of concatenated method names: 'RpNO5bKeyd', 'fxvOxY43ja', 'jgjo2FFXJQ', 'CyQortX83a', 'Dqdo6mFgjc', 'HOtoPF8Pj3', 'HlRoAXnTta', 'WcYoSpqSdq', 'hhMoGgkLq7', 'FE4olxI695'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, n5GDGTHUMZRpDh3i5i.cs	High entropy of concatenated method names: 'gMvNBDmtdQ', 'BI3Nirm8Tw', 'DDZFXmW3Eb', 'ByNF4TeXXp', 'OY8NMdupaq', 'iHrNpqJGwp', 'olXNDXAXv1', 'n1DNtUF3pC', 'caJNKhth8s', 'eWqNVX4hWo'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, v0K5lPVAwSPMMBKDPO.cs	High entropy of concatenated method names: 'ToString', 'Kq6bMNxlHh', 'b4SbsrgVJl', 'fyvb23FR6s', 'LZ6brqIrvZ', 'dStb6nq3yS', 'feqbPodny2', 'j0ZbAvnaZg', 'z5QbSOS5K6', 'yndbGmplAd'
Source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.78f0000.6.raw.unpack, NXVwKg44YhNq0Tjth17.cs	High entropy of concatenated method names: 'JP8ZibpGhI', 'yTkZzo94Zh', 'Vb4cXARYSu', 'Gcmc4IucVq', 'zWpcLLfkDi', 'fYcceKgMKe', 'wcLcIFNHZS', 'ma2cmrOQjn', 'TKCcfBHtK1', 'gE3cYwjENF'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: WOOYANG VENUS PARTICULARS.pdf.scr.exe

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 6500, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Memory allocated: 1180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Memory allocated: 4BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Memory allocated: 9150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Memory allocated: 7A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Memory allocated: A150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Memory allocated: B150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Memory allocated: 4BD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599323	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598321	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595915	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5900	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3810	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Window / User API: threadDelayed 1607	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Window / User API: threadDelayed 8250	Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 6524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4488	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 2000	Thread sleep count: 1607 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 2000	Thread sleep count: 8250 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -599323s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -598321s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -595915s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe TID: 3668	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599323	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598321	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595915	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1698448027.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1698448027.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4130911953.0000000001013000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

Memory written: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"			Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Process created: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"			Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4131473749.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4131473749.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 7068, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.55f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.55f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1704633331.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4131473749.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 7068, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 3.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3bc9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3e295f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4131473749.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4131473749.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WOOYANG VENUS PARTICULARS.pdf.scr.exe PID: 7068, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.55f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.55f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1704633331.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.WOOYANG VENUS PARTICULARS.pdf.scr.exe.3c05828.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	13 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
WOOYANG VENUS PARTICULARS.pdf.scr.exe	29%	ReversingLabs
WOOYANG VENUS PARTICULARS.pdf.scr.exe	33%	Virustotal	Browse
WOOYANG VENUS PARTICULARS.pdf.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.sakkal.com;c	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
beirutrest.com	50.87.144.157	true	false		high
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com;c	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705020985.0000000005674000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4131473749.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4131473749.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1700278484.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp, WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4131473749.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000000.00000002.1705165542.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://beirutrest.com	WOOYANG VENUS PARTICULARS.pdf.scr.exe, 00000003.00000002.4131473749.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.144.157	beirutrest.com	United States		46606	UNIFIEDLAYER-AS-1US	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562838
Start date and time:	2024-11-26 06:24:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WOOYANG VENUS PARTICULARS.pdf.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 89 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:24:58	API Interceptor	12103883x Sleep call for process: WOOYANG VENUS PARTICULARS.pdf.scr.exe modified
00:25:01	API Interceptor	8x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
50.87.144.157	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse
	PEACE SHIP PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ZHENGHE 3_Q88 20241118.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	01. MT JS JIANGYIN Ship Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ESTEEM ASTRO PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Q88.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	TROODOS AIR PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	COSCO SHIPPING WISDOM VESSEL DETAILS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
beirutrest.com	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	MV BBG MUARA Ship's Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	PEACE SHIP PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	ZHENGHE 3_Q88 20241118.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	01. MT JS JIANGYIN Ship Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	ESTEEM ASTRO PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	Q88.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	TROODOS AIR PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	COSCO SHIPPING WISDOM VESSEL DETAILS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
api.ipify.org	https://app.useblocks.io/getemail/48034?secret_hash=d1541dc5be135b2d0f39c0711cecbe46&raw=true	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205
	Orden de compra HO-PO-376-25.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	RICHIESTA D'OFFERTA.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.12.205
	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DATASHEET.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	https://yancesybros.com/WHF9842BVD.html	Get hash	malicious	Unknown	Browse	69.49.245.172
	Invoice-99007553423-protected.pdf	Get hash	malicious	Unknown	Browse	162.241.60.177
	https://clickme.thryv.com/ls/click?upn=u001.dxrPihnXBHUGsddmpkmwUOT9H2uuoftUJgS1ImyDp5PjZ7uor3Bx5LY8846lufrxOd-2B-2FCl5NSKC1v9uXskdIrA-3D-3DPV4X_Uxfyb-2FV90WCSGuHCd77YDe2QH-2FfxD2e5Op8ULStuWwSYUM08QLuqWk0rbdQO8p2GP5XR1Nwn9dFZi5DaOMyz92mdTvaHywQzrJIxcHTOEjrrUNll1a6cdLHKylkZo7LdScnRC-2F7iC6hnMEdduqsWXASxbd-2BZeaoWZvCDaIudlukgt9S3uZsKQeBP86XSjGCyt8CMjRvxL6j1Dyr0eym46qao7knFO6iIo9LZAeoxbyu5E6pzhyc9-2F2VP-2BlZM3Ea-2B-2FiBNpyPNxcoMEQ2om5Ig-2F7RZ8WTAt-2F5MxtsslPlJve5tzpsISP74pi-2B8USUpl-2BAaEmzHGUoeKWRMyxJH35FiSw-3D-3D	Get hash	malicious	Unknown	Browse	192.185.214.89
	AccountDocuments - christinal.docx	Get hash	malicious	Unknown	Browse	192.185.181.6
	https://www.google.com/url?q=https://clickme.thryv.com/ls/click?upn%3Du001.3HlspJ5fg-2BP4CQkV7GSVhvWTpgC6w0k7sA8b2Z9JBYU9BEMXtqHWLHW9PPcpforJszQ3_jzclrAiO28PBUU1ZLf2yC1YJEF5Rt8zDnz4yKbEuFqXf3c0fVOhzL2fXxOYix3CjCrzlLwoIPSXb9PavK50mtpdK-2FWF7thydb3q6E5ptEQiOVUz527Ewi1t813S-2FHejAJLe09fD2VqgM8mtwuQZA9i83VLkCPF4iItCSPXKUpNgWQKWxjEO6jlBp5GYVLghrpKcDuea5GONmLMVlbh4fQe7dtjhTFxxxExxfN1kv5tnx1PPl9DjYIyE468wz1qa1Z-2FWJgZrJbIFEpqhd4o5tGGyUoiPcIot5l2j9dpjy7QKj99ZiCz-2BBLi5dHUIl8gC4RxZBl-2FMaH4IZlQyWpqM-2BtZ9uE3ezFUl2fORMwAp4lQk-3D%23Cjanetrosenbach@imageindustries.com&source=gmail-imap&ust=1733149343000000&usg=AOvVaw1uIAp-JnZbTlkY9Td9ZLJj	Get hash	malicious	HTMLPhisher	Browse	192.185.113.79
	RICHIESTA D'OFFERTA.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	192.254.225.136
	Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docx	Get hash	malicious	HTMLPhisher	Browse	108.179.192.137
	fat098765678900.bat.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml	Get hash	malicious	HTMLPhisher	Browse	108.179.192.137
	3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml	Get hash	malicious	HTMLPhisher	Browse	108.179.192.137
CLOUDFLARENETUS	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.7.169
	kkEzK284oT.exe	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.187.240
	5QnwxSJVyX.doc	Get hash	malicious	Unknown	Browse	162.159.136.232
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.67.187.240
	file.exe	Get hash	malicious	Unknown	Browse	104.21.7.169
	speedymaqing.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	162.159.138.232
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	5QnwxSJVyX.doc	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	FormBook	Browse	172.67.74.152
	file.exe	Get hash	malicious	FormBook	Browse	172.67.74.152
	Orden de compra HO-PO-376-25.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	file.exe	Get hash	malicious	Cryptbot	Browse	172.67.74.152
	INV-0542.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.74.152
	Evidence of copyright infringement (2).bat	Get hash	malicious	Unknown	Browse	172.67.74.152
	Evidence of copyright infringement.bat	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
MD5:	E193AFF55D4BDD9951CB4287A7D79653
SHA1:	F94AD920B9E0EB43B5005D74552AB84EAA38E985
SHA-256:	08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
SHA-512:	86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmZjKbmOIKoas4RPT6moUP7mZ9t7J0gt/NKIl9ia8Hu:QWSU4xympx4RfoUP7mZ9tK8NDT
MD5:	A836174B23DC3E193018534C61A4B022
SHA1:	7C332DD626BA7CC7AE32719FD136F79AA09C665D
SHA-256:	A565F870FA7A87C4DF5FE1E041EAD41D8199B48D1A6F4E65D46388777086439D
SHA-512:	DF70575215A962B8D67D9EE229568963EE0F8199E8AB766FCEB4EF3B78320DA1E3530CA9A25B68533FB0BDFE2F9D768BE00A283AE130982E72ED84332C275D9B
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxv3plo5.1wy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrgadk3f.j20.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjgvwdmp.mdo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzxq2erv.acj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7336718421768404
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	WOOYANG VENUS PARTICULARS.pdf.scr.exe
File size:	726'016 bytes
MD5:	93e502520786ba056be0b8a02c30ffd9
SHA1:	a6b1c8eea0ee256fd502d7ee63db9d6e4a76b71b
SHA256:	59e8919a70ecf74746e7bac52469b520a8a4fa929e8fa8171e22342d8dc4e1d6
SHA512:	b49fb357f83fd9341870a9c5221a10002d4c5e210ee25238a93afc473143e2706e9454a855c818e67096c1194302a4ba337fea39664d3dfa274ee6aaba8a4d06
SSDEEP:	12288:tm6Cb+eCSmcv+bQ/ZNW3eKbcDCwATR1nL9LCDfdyu8WNuSQtZCtT52JX3Xu6WX6:tkCC+2AccTbQD4TWNnQtstT5inu6I6
TLSH:	F9F40189221BC907E8CB5B704971E3F5667C6ECDB910D3138BEDBCEB781A318754A285
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7Eg..............0.................. ... ....@.. ....................................@................................

File Icon


Icon Hash:	322e2e3eee6e2697

Static PE Info

General

Entrypoint:	0x4b02c6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674537D1 [Tue Nov 26 02:52:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0274	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x2a6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae2cc	0xae400	f1aabee1dbd786bc5986f41e8e1c6979	False	0.9100217449784792	data	7.7396529152476745	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x2a6c	0x2c00	70831cc85f5571ff9032e8b0be582e43	False	0.8671875	data	7.468133556492533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	ac999c8a712c0fd890ca79c86b89eee4	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb2100	0x241d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9700378583017848
RT_GROUP_ICON	0xb4530	0x14	data	1.05
RT_VERSION	0xb4554	0x318	data	0.4444444444444444
RT_MANIFEST	0xb487c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 06:25:01.630507946 CET	49733	443	192.168.2.4	172.67.74.152
Nov 26, 2024 06:25:01.630572081 CET	443	49733	172.67.74.152	192.168.2.4
Nov 26, 2024 06:25:01.630649090 CET	49733	443	192.168.2.4	172.67.74.152
Nov 26, 2024 06:25:01.638063908 CET	49733	443	192.168.2.4	172.67.74.152
Nov 26, 2024 06:25:01.638077021 CET	443	49733	172.67.74.152	192.168.2.4
Nov 26, 2024 06:25:02.898893118 CET	443	49733	172.67.74.152	192.168.2.4
Nov 26, 2024 06:25:02.898964882 CET	49733	443	192.168.2.4	172.67.74.152
Nov 26, 2024 06:25:02.902524948 CET	49733	443	192.168.2.4	172.67.74.152
Nov 26, 2024 06:25:02.902535915 CET	443	49733	172.67.74.152	192.168.2.4
Nov 26, 2024 06:25:02.902740002 CET	443	49733	172.67.74.152	192.168.2.4
Nov 26, 2024 06:25:02.951854944 CET	49733	443	192.168.2.4	172.67.74.152
Nov 26, 2024 06:25:02.976659060 CET	49733	443	192.168.2.4	172.67.74.152
Nov 26, 2024 06:25:03.019376040 CET	443	49733	172.67.74.152	192.168.2.4
Nov 26, 2024 06:25:03.352380991 CET	443	49733	172.67.74.152	192.168.2.4
Nov 26, 2024 06:25:03.352435112 CET	443	49733	172.67.74.152	192.168.2.4
Nov 26, 2024 06:25:03.352498055 CET	49733	443	192.168.2.4	172.67.74.152
Nov 26, 2024 06:25:03.388077021 CET	49733	443	192.168.2.4	172.67.74.152
Nov 26, 2024 06:25:04.754309893 CET	49735	21	192.168.2.4	50.87.144.157
Nov 26, 2024 06:25:04.874278069 CET	21	49735	50.87.144.157	192.168.2.4
Nov 26, 2024 06:25:04.874347925 CET	49735	21	192.168.2.4	50.87.144.157
Nov 26, 2024 06:25:04.877695084 CET	49735	21	192.168.2.4	50.87.144.157
Nov 26, 2024 06:25:05.001535892 CET	21	49735	50.87.144.157	192.168.2.4
Nov 26, 2024 06:25:05.003599882 CET	21	49735	50.87.144.157	192.168.2.4
Nov 26, 2024 06:25:05.003653049 CET	49735	21	192.168.2.4	50.87.144.157

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 06:25:01.469849110 CET	53226	53	192.168.2.4	1.1.1.1
Nov 26, 2024 06:25:01.612848043 CET	53	53226	1.1.1.1	192.168.2.4
Nov 26, 2024 06:25:04.052278042 CET	59837	53	192.168.2.4	1.1.1.1
Nov 26, 2024 06:25:04.753667116 CET	53	59837	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 26, 2024 06:25:01.469849110 CET	192.168.2.4	1.1.1.1	0x1c09	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:25:04.052278042 CET	192.168.2.4	1.1.1.1	0x56af	Standard query (0)	beirutrest.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 26, 2024 06:25:01.612848043 CET	1.1.1.1	192.168.2.4	0x1c09	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:25:01.612848043 CET	1.1.1.1	192.168.2.4	0x1c09	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:25:01.612848043 CET	1.1.1.1	192.168.2.4	0x1c09	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 26, 2024 06:25:04.753667116 CET	1.1.1.1	192.168.2.4	0x56af	No error (0)	beirutrest.com	50.87.144.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	172.67.74.152	443	7068	C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 05:25:02 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-26 05:25:03 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 05:25:03 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e8774a6dcb88ca1-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2005&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1446260&cwnd=168&unsent_bytes=0&cid=be79a7612e578a4f&ts=462&x=0"
2024-11-26 05:25:03 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Target ID:	0
Start time:	00:24:57
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"
Imagebase:	0x840000
File size:	726'016 bytes
MD5 hash:	93E502520786BA056BE0B8A02C30FFD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1701331816.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1704633331.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1701331816.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:25:00
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"
Imagebase:	0x8b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:25:00
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WOOYANG VENUS PARTICULARS.pdf.scr.exe"
Imagebase:	0x860000
File size:	726'016 bytes
MD5 hash:	93E502520786BA056BE0B8A02C30FFD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4131473749.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4130201435.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4131473749.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4131473749.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	00:25:00
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.2%
Total number of Nodes:	262
Total number of Limit Nodes:	9

Executed Functions

Function 074B80E8 Relevance: 15.1, Strings: 10, Instructions: 2604COMMON

Download Yara Rule

Strings

4|yq, xrefs: 074BAED0
4|yq, xrefs: 074BAEEB
4'tq, xrefs: 074B8F4B
4'tq, xrefs: 074B90D3
4'tq, xrefs: 074BACFB
4'tq, xrefs: 074BAD56
4'tq, xrefs: 074B9FB9
4'tq, xrefs: 074BAD86
$tq, xrefs: 074BADA8
(otq, xrefs: 074B81BE

Memory Dump Source

Source File: 00000000.00000002.1706182625.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: (otq$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$4|yq$4|yq$$tq
API String ID: 0-1537292367
Opcode ID: 0d4f259794c82b2d1d2168dee2abc6921f5cc43f4bccfb1b07d3a0f56c8d8ff1
Instruction ID: 2bf3fb57f65760c6d3a771c0ed6a62e2ad003ea7650d6a48621ed4032e25bc09
Opcode Fuzzy Hash: 0d4f259794c82b2d1d2168dee2abc6921f5cc43f4bccfb1b07d3a0f56c8d8ff1
Instruction Fuzzy Hash: FC43EAB4A00219CFCB64DF68C988ADDB7B6BF89310F158596E519AB361DB30ED81CF50

Function 074BBAC8 Relevance: 8.5, Strings: 6, Instructions: 1022
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJyq, xrefs: 074BBC6D
4'tq, xrefs: 074BC6B9
Tetq, xrefs: 074BC31C
xbwq, xrefs: 074BBBF8
<ov!, xrefs: 074BBEC4
pxq, xrefs: 074BC791

Memory Dump Source

Source File: 00000000.00000002.1706182625.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: 4'tq$<ov!$TJyq$Tetq$pxq$xbwq
API String ID: 0-1892564314
Opcode ID: c6b43f163527a7c8d3d1353fef775ddf23d403bce54bafc26f7646fcb7318efe
Instruction ID: c758c5f4880bb9f89b1ec1d0c1df99f2a6288aceebbd2c6b0a52538d3336c0ad
Opcode Fuzzy Hash: c6b43f163527a7c8d3d1353fef775ddf23d403bce54bafc26f7646fcb7318efe
Instruction Fuzzy Hash: 13B2B5B5E00229CFDB64CF69C984AD9BBB2FF89304F1581E5D509AB225DB319E81CF50

Function 074B70A0 Relevance: 7.0, Strings: 5, Instructions: 726COMMON

Download Yara Rule

Strings

(otq, xrefs: 074B7933
,xq, xrefs: 074B76C7
,xq, xrefs: 074B76B7
(otq, xrefs: 074B7929
Hxq, xrefs: 074B79A0

Memory Dump Source

Source File: 00000000.00000002.1706182625.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: (otq$(otq$,xq$,xq$Hxq
API String ID: 0-2200704163
Opcode ID: 5088cf1fb4c3ea725090b261e45da0c7ffd021fa805b9f9a5bc94ebbfda5a53c
Instruction ID: 1e206f998379d6dcdeb6251f9d2a538585442ff03bb9e0850a6a609b58867583
Opcode Fuzzy Hash: 5088cf1fb4c3ea725090b261e45da0c7ffd021fa805b9f9a5bc94ebbfda5a53c
Instruction Fuzzy Hash: 295260B4A00116DFDB25DF79C484AEEBBB2BFC9310B15815AE8059B364DB30EC41CBA0

Function 074B0460 Relevance: 6.9, Strings: 5, Instructions: 619
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hxq, xrefs: 074B0BC5
Hxq, xrefs: 074B0B3B
Hxq, xrefs: 074B0A21
Hxq, xrefs: 074B0AB4
Hxq, xrefs: 074B0C83

Memory Dump Source

Source File: 00000000.00000002.1706182625.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: Hxq$Hxq$Hxq$Hxq$Hxq
API String ID: 0-615405233
Opcode ID: c59eb55a42b70cdc19d7ff17abc0f54c6f213d1bba0a993d743db68b8edbd8e4
Instruction ID: 2a780d29f8884c1d7ba3c45bb33e94666007e16f4b678e672f81d161606761e7
Opcode Fuzzy Hash: c59eb55a42b70cdc19d7ff17abc0f54c6f213d1bba0a993d743db68b8edbd8e4
Instruction Fuzzy Hash: 5B3273B0A002598FDB64DFB9C4507EEBBB2BF88301F14856AD409AB355DB349D85CFA1

Function 074B0452 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706182625.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29b9bba23313f3c3b5c779f9e6b0f6ca645ac7a8bc5bba49de2cd2328efcc31
Instruction ID: 101932ef5536a2022df921cf672233d17cef25af0318427aaeef7237907c9162
Opcode Fuzzy Hash: b29b9bba23313f3c3b5c779f9e6b0f6ca645ac7a8bc5bba49de2cd2328efcc31
Instruction Fuzzy Hash: 49C13AB1E002158FDF24DFA5C9807DEBBB2BF88301F14C56AD409AB265EB309985CF60

Function 0760AE7E Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc8d702606e4327cf8f8a3ae8be585ac787b4430d80f51c2bf22bb624a6a6a0
Instruction ID: fc1ec8014093bc6dbdffd72e737c9bb93c6faba6e339d9b540c838f0fe445512
Opcode Fuzzy Hash: 0cc8d702606e4327cf8f8a3ae8be585ac787b4430d80f51c2bf22bb624a6a6a0
Instruction Fuzzy Hash: 59016DF9A29114CFCB28CE54CD506F9B778EB8B210F0491A6801FA76D1D7308A82CF90

Function 0760949D Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076096DE

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2e935807425a121769763cc83827ae427d32f02cb492272ccdb2746a87c6744c
Instruction ID: da52ccd218f827fd83cb5ec7b0c2a0161b9983f841ebe684cd95c718f23b3428
Opcode Fuzzy Hash: 2e935807425a121769763cc83827ae427d32f02cb492272ccdb2746a87c6744c
Instruction Fuzzy Hash: 34A16BB1D0035ACFEB24CF69C841BDEBBB2BF48310F148569D809A7281DB74A985CF91

Function 076094A8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076096DE

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 39f2b9b19406114fafa18d1e6f5d11e1cae8bfdaa01a796fe210adfa419b07f0
Instruction ID: 8dac2ce401052ac4c55e2111e3b051b19c76b077580c1ae40cd21eebc754c6fc
Opcode Fuzzy Hash: 39f2b9b19406114fafa18d1e6f5d11e1cae8bfdaa01a796fe210adfa419b07f0
Instruction Fuzzy Hash: E3916BB1D0035ACFEB24CF69C841BDEBBB2BF48310F148569D809A7281DB74A985CF91

Function 0118B048 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0118B29E

Memory Dump Source

Source File: 00000000.00000002.1700040145.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0158fa0562de4bc1ae3411654285e55143ea696acd371043ff10d352c750b47f
Instruction ID: a5341e14b89f61fb3ff04e37a6b348fd0b3135c5f4e491ae65ae94d73ed4c21e
Opcode Fuzzy Hash: 0158fa0562de4bc1ae3411654285e55143ea696acd371043ff10d352c750b47f
Instruction Fuzzy Hash: A6713370A00B058FD728EF2AD45579ABBF1FF88304F008A29E08ADBA50D775E945CF95

Function 011844B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011859A9

Memory Dump Source

Source File: 00000000.00000002.1700040145.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7ac80efe154325c0b07b4233971fee222214758f088efef7cec4cc6812b52aaf
Instruction ID: 96264e0be9845b976a87ad68716c1004c80143b9c55c592ef0f6366bc4a32e4d
Opcode Fuzzy Hash: 7ac80efe154325c0b07b4233971fee222214758f088efef7cec4cc6812b52aaf
Instruction Fuzzy Hash: 0841BFB0C10719CFDB28DFAAC884B9DBBB6FF49304F20806AD408AB251DB756945CF90

Function 011858EF Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011859A9

Memory Dump Source

Source File: 00000000.00000002.1700040145.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9d5f4f35aebb5ad95624fa7d19f523ad3b22e08e34c288dc6b46273d1f442843
Instruction ID: 3e5b67d3459902d2b4ff1a4c1df4db43be25e60ea6d2aa51324263a993285a65
Opcode Fuzzy Hash: 9d5f4f35aebb5ad95624fa7d19f523ad3b22e08e34c288dc6b46273d1f442843
Instruction Fuzzy Hash: B041CFB0C10759CEDB28DFA9C884B9DFBB6FF49304F20806AD408AB251DB756946CF90

Function 074B0D88 Relevance: 1.6, APIs: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 074B0E47

Memory Dump Source

Source File: 00000000.00000002.1706182625.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: fe63835354c336f04c8b2c111cdf3ebd7d8513ff1ae4386bee5962300e461473
Instruction ID: f1d3e0b0194476a6ab537b5cd8655e4576bae6414318b9f824700f8776b02aaa
Opcode Fuzzy Hash: fe63835354c336f04c8b2c111cdf3ebd7d8513ff1ae4386bee5962300e461473
Instruction Fuzzy Hash: 813168729043899FCB11CFA9C840AEEBFF8EF49320F14845AE554AB261C335A850CFA1

Function 07609219 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076092B0

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 147798c6ff95e8703f456b0df611ba95aacba2674b5f9802be4c8cb82dc41e67
Instruction ID: b2d02b2affa6885442357a1892a5648e994be639e4614df46055a60f1ba6a75f
Opcode Fuzzy Hash: 147798c6ff95e8703f456b0df611ba95aacba2674b5f9802be4c8cb82dc41e67
Instruction Fuzzy Hash: 023138B1910349DFDB14CFAAC8847EEBBF5FF48320F10842AE959A7251C775A944CBA4

Function 07609309 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07609390

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 89bbc2c5d646b7b796773e68c7bfa2fdc036af2e344ebbb6a7658c884499a73a
Instruction ID: 869f1050df0d925d14b90a273048e4ef8fce8c919818d950bb9335439cae9a0a
Opcode Fuzzy Hash: 89bbc2c5d646b7b796773e68c7bfa2fdc036af2e344ebbb6a7658c884499a73a
Instruction Fuzzy Hash: AC2139B18003499FCB14CFAAC840AEEBFF5FF48320F14842AE559A7251D775A905DFA4

Function 07609220 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076092B0

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: defbb0d8565283b57ee2cf3d4395b2779dbcd9c84254c32212bb1cd6f0ecd119
Instruction ID: 484a15f1acecc4bd98257619d34a506144a7faf4f2444f297bd363c421dda1f6
Opcode Fuzzy Hash: defbb0d8565283b57ee2cf3d4395b2779dbcd9c84254c32212bb1cd6f0ecd119
Instruction Fuzzy Hash: 0C2127B1910359DFDB10CFAAC881BDEBBF5FF48320F108429E919A7251C778A944CBA0

Function 0118AF34 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0118D4EE,?,?,?,?,?), ref: 0118D5AF

Memory Dump Source

Source File: 00000000.00000002.1700040145.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9e445680ffe092b04553d16beb629b0b4f1572860b66a6780dacc0d0921dfe45
Instruction ID: 5630f763e4abe9e33f18f29c5b595da4e1953ed60f80f9b62cca64ee87f30039
Opcode Fuzzy Hash: 9e445680ffe092b04553d16beb629b0b4f1572860b66a6780dacc0d0921dfe45
Instruction Fuzzy Hash: 6F21E5B59003489FDB10CF9AD584ADEBFF4FB48324F14841AE918A7350D374A954CFA5

Function 0118D520 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0118D4EE,?,?,?,?,?), ref: 0118D5AF

Memory Dump Source

Source File: 00000000.00000002.1700040145.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dce39c051d5c20271dd3622d8e0886935163a263281708ada3ce9bc1926222b4
Instruction ID: 6a46a217ab52dbc6cc13de37110660244b6feef913211e704e49ec8c4871014f
Opcode Fuzzy Hash: dce39c051d5c20271dd3622d8e0886935163a263281708ada3ce9bc1926222b4
Instruction Fuzzy Hash: 1221E6B59102489FDB10CF9AD984ADEFFF9FB48320F14841AE958A3350D378A944CFA1

Function 07608C48 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07608CCE

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 569d54b426be276ead6583ea9914b7eea554087c177b9495fe9a49d821b25aba
Instruction ID: 4b51ee1d1613b443bc87eb61dca3fa64df25e169e8e5db431cd23eb0cc4b79b4
Opcode Fuzzy Hash: 569d54b426be276ead6583ea9914b7eea554087c177b9495fe9a49d821b25aba
Instruction Fuzzy Hash: B82159B19103098FDB14DFAAC4817AEFBF4FF48324F14842AD419A7280C7789945CFA4

Function 07609310 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07609390

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 101faf89467993eb93f67a7bc95414c89f854ed131163a28dc3b2e77d66713a2
Instruction ID: ac59b7793113ae270f2731335ec75cdb7ba54f49e08892b0654e79d12322387a
Opcode Fuzzy Hash: 101faf89467993eb93f67a7bc95414c89f854ed131163a28dc3b2e77d66713a2
Instruction Fuzzy Hash: 732116B18003599FDB14CFAAC881AEEBBF5FF48320F148429E519A7250D7799900DBA0

Function 07608C50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07608CCE

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: eeaad053961cab50b4ab67e210b7da0efbbe462d10058e7581368462c67eec5b
Instruction ID: 59559ff6809f8aff85fe41bf9b3b5176bb33740ace5e3801455b4f0bd04399f2
Opcode Fuzzy Hash: eeaad053961cab50b4ab67e210b7da0efbbe462d10058e7581368462c67eec5b
Instruction Fuzzy Hash: 062138B19003098FDB14DFAAC4857AEBBF4EF88324F14842AD419A7240DB789945CFA4

Function 07609158 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076091CE

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 095628a05c2acaa4b8e5929c8f33b4aeb681e8fe5739e0da06782b70dc57f913
Instruction ID: 1dc5249d97992fd4cdb031f23ae2bd738a3fbc4eff9024ae0bf3333b3963e2da
Opcode Fuzzy Hash: 095628a05c2acaa4b8e5929c8f33b4aeb681e8fe5739e0da06782b70dc57f913
Instruction Fuzzy Hash: A6116AB19003499FCB14DFAAC845ADFBFFAEF88324F148819E515A7250C775A954CFA0

Function 07609160 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076091CE

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54d3e41a7a06a802242025bdc8f7ecce40e68b31ae1ee93f8a57d18948fb2c04
Instruction ID: 2019e7eb653eb289747d57e7e64571352cf760920577a36de782b052d97a1d35
Opcode Fuzzy Hash: 54d3e41a7a06a802242025bdc8f7ecce40e68b31ae1ee93f8a57d18948fb2c04
Instruction Fuzzy Hash: D01137B19002499FDB14DFAAC844ADFBFF5EF88324F148819E519A7250C775A940CFA0

Function 07608BA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07608C02

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1d0a617a764dfaa26589eecb6c7d9c9a57d6bc5240d6d76e2abc850f4740d41c
Instruction ID: d6bb2e198b44d789c53f5ccefc380cc7077a8b641dc63e3d73e617a4fc81d754
Opcode Fuzzy Hash: 1d0a617a764dfaa26589eecb6c7d9c9a57d6bc5240d6d76e2abc850f4740d41c
Instruction Fuzzy Hash: 2C1128B19003498FDB14DFAAC44579FFBF8EF88324F148419D519A7240CA75A944CFA4

Function 07608B99 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07608C02

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c3195c472c38deaf3afddbb21b0be449a0cd84fdc64230f27eb7e19ceda41a97
Instruction ID: 7a483047d10db8a8a16622adde314ee48b82a95f74ff486355474373718e9ea7
Opcode Fuzzy Hash: c3195c472c38deaf3afddbb21b0be449a0cd84fdc64230f27eb7e19ceda41a97
Instruction Fuzzy Hash: 961158B1D003498FDB24DFAAC4457AEFBF4EF88324F24841AD419A7250C775A944CFA4

Function 07605E08 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0760BBF5

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 456e7036cd07c09295e14a3ff9b81da1215c63b868fa9106bea838a1986c9e7d
Instruction ID: 964102ce425342a372042614ec85a0b09dadfbb775c574c1fbd540ce4dc6a78d
Opcode Fuzzy Hash: 456e7036cd07c09295e14a3ff9b81da1215c63b868fa9106bea838a1986c9e7d
Instruction Fuzzy Hash: 3B11F2B5800349DFDB20CF9AC984BDEBBF8EB48320F108459E519A7240C375A944CFA5

Function 0118B238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0118B29E

Memory Dump Source

Source File: 00000000.00000002.1700040145.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 287d0dc728479e1d7163291e78786d2dcb6a7b65dee5f2c7126d5a7da31f1d9d
Instruction ID: f58b5bcd0fe1dda86c1cc2678d2b47161f1d150410be8cd0b6f839eab68bc428
Opcode Fuzzy Hash: 287d0dc728479e1d7163291e78786d2dcb6a7b65dee5f2c7126d5a7da31f1d9d
Instruction Fuzzy Hash: 0B11E0B5C00649CFDB14DF9AC444ADEFBF5EF88324F14842AD929A7210C379A545CFA5

Function 0760BB90 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0760BBF5

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 000a7df9cb019736178a6c025b48a59503e1c88e9bca04ea0a9bb7e41d572a81
Instruction ID: dbc70e8b29fb20dea7edf969d747c3a0b2bfb79832d96318b6769006eed480bd
Opcode Fuzzy Hash: 000a7df9cb019736178a6c025b48a59503e1c88e9bca04ea0a9bb7e41d572a81
Instruction Fuzzy Hash: 1F11F5B5810249DFDB20CF9AC984BDEBBF8EB48320F148459D559A7350C375A944CFA5

Function 010DD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698983405.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf157419d1c3bcf39f24e6e7a17b4323f05d9dfbbadf8b5d824f6736dc3f65f
Instruction ID: 5022a09182784781a1d5f4490aa7e0551b19c77dac0d84e9c6aab5f6fb038f72
Opcode Fuzzy Hash: 9bf157419d1c3bcf39f24e6e7a17b4323f05d9dfbbadf8b5d824f6736dc3f65f
Instruction Fuzzy Hash: F821D671504340DFDB45DF98D9C0B3ABFA5FB98320F24C5A9E9490B286C336D416CBA1

Function 010ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699087013.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5809aeab855b64d29597f8c12b580bedaf05c17ec51a85d0ba42fae4132afcce
Instruction ID: 3fd564040b7623bc31f1caa666eb9ee0801acfd0698b84c53ed466c024e07016
Opcode Fuzzy Hash: 5809aeab855b64d29597f8c12b580bedaf05c17ec51a85d0ba42fae4132afcce
Instruction Fuzzy Hash: 44212571604200DFDB15DF59D488B16BFE5FB88314F28C9ADE9894B246C336D407CB61

Function 010ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699087013.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d80e9a85e0ddb364ef1f12b8bdcf3185d63dffe0131eee83a354586f2727019
Instruction ID: c09a5aa82f72b532a8147ed4f8ebca8753f906c2a8b397934cf88c10f13365f5
Opcode Fuzzy Hash: 5d80e9a85e0ddb364ef1f12b8bdcf3185d63dffe0131eee83a354586f2727019
Instruction Fuzzy Hash: CB214971504200EFDB45DF99D5C4B26BBE5FB98324F24C5ADE9894F292C336D406CB61

Function 010ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699087013.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9216e18056074b9751ee1b6cb2a32ef3d6b7b5b5db4e2dd24c6e056882461d98
Instruction ID: 49cfbbd4ac66f6a33dc5a672652b732185191716f900957d8a0d714f7ca0b142
Opcode Fuzzy Hash: 9216e18056074b9751ee1b6cb2a32ef3d6b7b5b5db4e2dd24c6e056882461d98
Instruction Fuzzy Hash: F02165755093808FDB13CF64D594715BFB1EB46214F28C5DAD8898F667C33A980ACB62

Function 010DD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698983405.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083a0aad303073c06da1a146aa343d8be4e7eaa9cc126e7cc12db35873612b5c
Instruction ID: f3c1a3990943b893cfa31876496adc8543806f399e336180e82464a8e47fe8a1
Opcode Fuzzy Hash: 083a0aad303073c06da1a146aa343d8be4e7eaa9cc126e7cc12db35873612b5c
Instruction Fuzzy Hash: 9921D276404240CFDB06CF44D9C4B26BFB2FB84320F24C1A9DD480B656C33AD416CB91

Function 010ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699087013.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction ID: 8c1dfd7712b41403df0175f37b2aced12f152d4e264f73b4f021080d88e696e9
Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction Fuzzy Hash: CE11BB75504280DFDB16CF54C5C4B15BBA1FB84224F24C6AED8894B296C33AD40ACB61

Non-executed Functions

Function 074BB3C9 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4'tq, xrefs: 074BB4AA

Memory Dump Source

Source File: 00000000.00000002.1706182625.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: 4'tq
API String ID: 0-257826263
Opcode ID: 0d7d6393880a98770e3acbe588e48e91ea021050d7b242b3afa880d58bf1bf57
Instruction ID: 6bd96608d861c7aa395baa69af9b960828e37f13f2f14d63012625cba955780f
Opcode Fuzzy Hash: 0d7d6393880a98770e3acbe588e48e91ea021050d7b242b3afa880d58bf1bf57
Instruction Fuzzy Hash: 1361DAB0A102098FE758EF7BE942699BFF3FB88304F14C52AE0159B6A5EE705845CF51

Function 074BB3D8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'tq, xrefs: 074BB4AA

Memory Dump Source

Source File: 00000000.00000002.1706182625.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: 4'tq
API String ID: 0-257826263
Opcode ID: 48923675e7ea2b04f27296a2d80c11ccb223be05d8f26b8248ed7299fdd93934
Instruction ID: 3d21231de1dd0f989b1961ea66fe244a7d0965ca74195a68e991672776453881
Opcode Fuzzy Hash: 48923675e7ea2b04f27296a2d80c11ccb223be05d8f26b8248ed7299fdd93934
Instruction Fuzzy Hash: 0B61DAB09102098FE758EF7BE942699BBF3FB88304F14C52AE0159B7A9EE705845CF51

Function 0760D4B0 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932e3d2d5c963334d411ac877d60f7f21887d16c8295f561d0b082b306219a26
Instruction ID: a2c436beef6dfc499717f6526a4d087d4fc6f06d1a6c29bc5c3e737bc8c9652f
Opcode Fuzzy Hash: 932e3d2d5c963334d411ac877d60f7f21887d16c8295f561d0b082b306219a26
Instruction Fuzzy Hash: E4E19DB07016058FDB2AEBB5C450BAF77F6AF89204F14856ED14A9B3D0DB39E901CB91

Function 07608378 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e219fe9822dbf0e000e487d526a8b3f0fe400871918fbf81a9b20d526d7b9c51
Instruction ID: bd6efc42ad42e00fbe95adaa7ce2b4dfe576cb0938c8fa94c90ce0edcc0bdb3d
Opcode Fuzzy Hash: e219fe9822dbf0e000e487d526a8b3f0fe400871918fbf81a9b20d526d7b9c51
Instruction Fuzzy Hash: F8E109B4E1015A8FDB14DFA9C5809AEFBF2FF89304F248169D415AB355DB30A942CFA0

Function 076070D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130994b516c5e1a5241d9c56b9ba0eead3a7b74d402f610f29f6b92995ec6405
Instruction ID: b56914969d2e81213e837c7a0b94f5b1a554afa26a2fabaed22848994bb1de82
Opcode Fuzzy Hash: 130994b516c5e1a5241d9c56b9ba0eead3a7b74d402f610f29f6b92995ec6405
Instruction Fuzzy Hash: FAE10BB4E141598FDB18DFA9C5809AEFBF2FF89304F248169D815AB355D730A942CFA0

Function 07608D28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6b9a65483f82b122b83a171dc235569d6dd66e859430c5c55db07fb6713508
Instruction ID: 434a91e991ba540fd9ce23038ea3e41838f6ed4949d9c693e42b0cecc830ca61
Opcode Fuzzy Hash: ae6b9a65483f82b122b83a171dc235569d6dd66e859430c5c55db07fb6713508
Instruction Fuzzy Hash: EFE10BB4E142598FDB14DFA9C5809AEFBF2FF89304F248169D415AB356D730A942CFA0

Function 07606CA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c908748cd571302d0d0be80990c9a3c4808f2896935eb4648ab507226a128aab
Instruction ID: f08162bb56f81cbeda168ceb8dce2f68fc6ee3b292bef15a345c16b91b11c7fe
Opcode Fuzzy Hash: c908748cd571302d0d0be80990c9a3c4808f2896935eb4648ab507226a128aab
Instruction Fuzzy Hash: 58E118B4E142198FDB14DFA8C5809AEFBF2FF89304F248169D415AB355D731A942CFA0

Function 07606868 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f6b491a84f575a999b3cef77df93c9a4c8c4d0db4aae324e9223f592220bb4
Instruction ID: ce9fb62bf3fa9654482093432638d058a2db1f15e031097f6eefd14164d1b7f3
Opcode Fuzzy Hash: e5f6b491a84f575a999b3cef77df93c9a4c8c4d0db4aae324e9223f592220bb4
Instruction Fuzzy Hash: 6BE1F9B4E102598FDB14DFA9C5809AEFBB2FF89304F24C169D415AB355DB30A942CFA0

Function 0118DE34 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700040145.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc2f124a8711f7e9058eea73cfd1d48882c6c296f078373be90a1ec9e4ed1ec
Instruction ID: 62a0b5bf46b11e2231a7bbe2383d37df0a5f46a3cef8ab75e4d493b479bb4bd3
Opcode Fuzzy Hash: fbc2f124a8711f7e9058eea73cfd1d48882c6c296f078373be90a1ec9e4ed1ec
Instruction Fuzzy Hash: 43A18432E002168FCF09EFB8D54449EB7B2FF94304B15856AE905AB295DB31E916CF50

Function 076070C7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753892627f12fd1e32588fd7baa30ae7e016872cfcc7c958393b946a23185ad9
Instruction ID: 7e15383dae46a09e4b29cff4292ca4eff04bec7d0424df37feb990974ed4c4cb
Opcode Fuzzy Hash: 753892627f12fd1e32588fd7baa30ae7e016872cfcc7c958393b946a23185ad9
Instruction Fuzzy Hash: 7D51FCB4D042198FDB18CFA9C5405AEFBF2BF89304F24C1AAD419A7356D7306942CFA1

Function 07608368 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4cf7a177132e1ef16ba62af5baa8fafbe0b29844a393203f4d3b53621adf3b
Instruction ID: 56f77ad86b00756e3ed8d619d1d16ddd828e2534253e1022ba266dee0b48554e
Opcode Fuzzy Hash: fb4cf7a177132e1ef16ba62af5baa8fafbe0b29844a393203f4d3b53621adf3b
Instruction Fuzzy Hash: 9F510CB4E042198FDB18DFA9C5405AEFBF2BF89304F2481A9D419AB356D7319942CFA1

Function 0760ACD8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706274506.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7600000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ee089db19a839377a488ea848873622a2daccb504bf0800fc72fe01b9ed748
Instruction ID: 4b60597d01a8e549da9d0ce21ddf215480f329a1bc2c9ed383257685a8ba5fc7
Opcode Fuzzy Hash: b1ee089db19a839377a488ea848873622a2daccb504bf0800fc72fe01b9ed748
Instruction Fuzzy Hash: 91E086FC929114D7CB048ED4A9152FAB7BCE78F285F00B052D51FF6541D7304912CE90

Analysis Process: WOOYANG VENUS PARTICULARS.pdf.scr.exePID: 7068, Parent PID: 6500COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	151
Total number of Limit Nodes:	16

Executed Functions

Function 06903060 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$tq, xrefs: 0690376B
$tq, xrefs: 069037B8
$tq, xrefs: 06903788
$tq, xrefs: 069037AC
$tq, xrefs: 06903794
$tq, xrefs: 0690375F

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq$$tq$$tq
API String ID: 0-2574395493
Opcode ID: 212fae7a7f6da5a1411143af41d2b69b43068e5ff8918f53a4242b5d82de788c
Instruction ID: 8c7fb0b9e8b4b34724e8e582be24c7282549d77472c677f4f0236b2ae082c381
Opcode Fuzzy Hash: 212fae7a7f6da5a1411143af41d2b69b43068e5ff8918f53a4242b5d82de788c
Instruction Fuzzy Hash: 99321D71E1061ACFDB14EB75D89059DB7B6FF89300F20D6AAD409AB255EF30AD85CB80

Function 06907D80 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$tq, xrefs: 0690831B
$tq, xrefs: 06908327

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq
API String ID: 0-1837209516
Opcode ID: b93f65b7cff37f9945c7373936330ab0910bbf9918343cb211ed2969d166aaab
Instruction ID: 640d83bc5552f071c27600079ac1ae64f5305314a82374c1225af0344abc1810
Opcode Fuzzy Hash: b93f65b7cff37f9945c7373936330ab0910bbf9918343cb211ed2969d166aaab
Instruction Fuzzy Hash: 44027B70B112058FEF54DB79D9806AEB7E6EF88310F248929E405DB795DB35ED82CB80

Function 069055A0 Relevance: 1.8, Strings: 1, Instructions: 600COMMON

Download Yara Rule

Strings

$, xrefs: 0690597B

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: c5924c0302107c3b33f4eee0f37979421527d566a02f251ecc941e691657326b
Instruction ID: ff2f570df7fdf6f0beb4a81ff12147f28ddaa6d1fa17818f9a32129366c621b8
Opcode Fuzzy Hash: c5924c0302107c3b33f4eee0f37979421527d566a02f251ecc941e691657326b
Instruction Fuzzy Hash: 8322D271E002198FEF64DBA4C5806AEF7BAEF88310F25846AD845EB795DA31DC45CF90

Function 069065F0 Relevance: .8, Instructions: 825COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd2f20c03f1b58037fb056e98ad75518c83cb7ebcde5ffaf551e2da5cf0575f
Instruction ID: 1d1e74c50226b7c8970803e047b729263a9314b75a1f0c94ebdd9c2fcf598c32
Opcode Fuzzy Hash: bfd2f20c03f1b58037fb056e98ad75518c83cb7ebcde5ffaf551e2da5cf0575f
Instruction Fuzzy Hash: 7162BD30B002058FEB54DB68D994BADB7F6EF88314F248469E806DB795DB35ED42CB90

Function 0690C190 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b66adfc8403d6b3c8b8bb6c826d7f1f7d655aa45623688668cc6c84c8538223
Instruction ID: ba0c5ad1a5028bac958176a39125984448dcc9571c055aff83113a6953d4ef88
Opcode Fuzzy Hash: 7b66adfc8403d6b3c8b8bb6c826d7f1f7d655aa45623688668cc6c84c8538223
Instruction Fuzzy Hash: 1A327E74B10209CFEB54DB68D990BAEB7B6FB88314F208A25E405DB795DB31EC41CB91

Function 0690B238 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4e9cffbb57fcfe2b978686c4e05e43633dab83554b5c78291dba920a2b0d4e
Instruction ID: 5d371ffccddd30e342f732d5b2f164ca8e96b0b2e3048957ec038d5cd51636db
Opcode Fuzzy Hash: db4e9cffbb57fcfe2b978686c4e05e43633dab83554b5c78291dba920a2b0d4e
Instruction Fuzzy Hash: 51227F70E1010A8FEF64CB69D4907ADB7BAEB49310F308526E415DBBD9DA36DC81CB91

Function 0690ACE0 Relevance: 10.4, Strings: 8, Instructions: 402
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$tq, xrefs: 0690AEAC
$tq, xrefs: 0690AE54
$tq, xrefs: 0690AE01
$tq, xrefs: 0690AE83
$tq, xrefs: 0690AE0D
$tq, xrefs: 0690AE8F
$tq, xrefs: 0690AE60
$tq, xrefs: 0690AEB8

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq
API String ID: 0-3970889292
Opcode ID: f3af94cbc8f53e9230fd94007163fe2a592f32d172dc1b0b3da3a7e9af14e189
Instruction ID: 78a2fda22218db0b59e47aff8d315f52433d84bdafc04843204c840ca06375c7
Opcode Fuzzy Hash: f3af94cbc8f53e9230fd94007163fe2a592f32d172dc1b0b3da3a7e9af14e189
Instruction Fuzzy Hash: D8E18170E103098FEF55DB79D8906AEB7B6EF85310F208529E806DB785EB319C46CB91

Function 0690B658 Relevance: 8.0, Strings: 6, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$tq, xrefs: 0690BBDD
$tq, xrefs: 0690BBB5
$tq, xrefs: 0690BC11
$tq, xrefs: 0690BC1D
$tq, xrefs: 0690BBE9
$tq, xrefs: 0690BBA9

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq$$tq$$tq
API String ID: 0-2574395493
Opcode ID: 758aa1f393f8e07cc8409cb490ae77002bc8b759bf7d3b4684485ac8d8c0cd5f
Instruction ID: aa1226fd4f60f6dee0f1fadc056bbd8f1cd60ebe497769050628813476cc68a6
Opcode Fuzzy Hash: 758aa1f393f8e07cc8409cb490ae77002bc8b759bf7d3b4684485ac8d8c0cd5f
Instruction Fuzzy Hash: 0F027C70E1020A8FEFA4CB69D5807ADB7B6FF45314F208526E415DBA99DB36DC81CB81

Function 068F2872 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 068F28F6
GetCurrentThread.KERNEL32 ref: 068F2933
GetCurrentProcess.KERNEL32 ref: 068F2970
GetCurrentThreadId.KERNEL32 ref: 068F29C9

Memory Dump Source

Source File: 00000003.00000002.4135297575.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7a69450f8b0949f928e441ef61ca9abeac6502978e82c704b891f7a06e5dc1a1
Instruction ID: f95b22f4ce1d7c9749bfd0811080c8b5bee10c8023c4c27a888aaec76a5abd6a
Opcode Fuzzy Hash: 7a69450f8b0949f928e441ef61ca9abeac6502978e82c704b891f7a06e5dc1a1
Instruction Fuzzy Hash: FA5174B0911649CFDB54CFAAD948BEEBBF1EF88310F208419E609A73A0DB755944CB21

Function 068F2878 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 068F28F6
GetCurrentThread.KERNEL32 ref: 068F2933
GetCurrentProcess.KERNEL32 ref: 068F2970
GetCurrentThreadId.KERNEL32 ref: 068F29C9

Memory Dump Source

Source File: 00000003.00000002.4135297575.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d0ce063f3b992e500dce79b704711293eebd7aa8717bc0a56b713c6a2268af45
Instruction ID: 448f889b5a4474574c05a119d88c6916e32471ae06f5e9b760a614613a63fdc5
Opcode Fuzzy Hash: d0ce063f3b992e500dce79b704711293eebd7aa8717bc0a56b713c6a2268af45
Instruction Fuzzy Hash: 415186B0910649CFDB54CFAAD848BDEBBF1EF48310F208419E209A73A0DB755944CF25

Function 06909158 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$tq, xrefs: 06909203
$tq, xrefs: 069091D4
$tq, xrefs: 069091C8
$tq, xrefs: 0690920F

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq
API String ID: 0-173548568
Opcode ID: 5b579b1fb4f9a72866d302789adb128d6bbdce1d40be09b249e248d70a10bab2
Instruction ID: aa6a26a6fd77b0a7f2106aac3edeb3ceb81c212cc47c6362d8c84d4a1c058970
Opcode Fuzzy Hash: 5b579b1fb4f9a72866d302789adb128d6bbdce1d40be09b249e248d70a10bab2
Instruction Fuzzy Hash: 0A917270F1021A8FDF94DB69D9507AEB7F6AFC9300F208565D809EB399EA30DD418B91

Function 0690CF48 Relevance: 4.5, Strings: 3, Instructions: 797
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$tq, xrefs: 0690D353
$tq, xrefs: 0690D33F
$tq, xrefs: 0690D347

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq
API String ID: 0-2863945821
Opcode ID: e842fa30f90e9957e6f3c85057ddca1b6defb8e6cca7f312914fa6603c786a07
Instruction ID: 9c6255ca21e5865d62d070261c8bf4684e772fa7636e96c0ee069b54740ad17a
Opcode Fuzzy Hash: e842fa30f90e9957e6f3c85057ddca1b6defb8e6cca7f312914fa6603c786a07
Instruction Fuzzy Hash: 79627170B012068FDB54EB79D590A5DB7B2FF89308B20CA28D4059F799EB71ED46CB81

Function 06904B70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fyq, xrefs: 0690527D
\Oyq, xrefs: 06904D27
XPyq, xrefs: 06904C9D

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: fyq$XPyq$\Oyq
API String ID: 0-1085389410
Opcode ID: 5bf2fe7934fc781272294069d9576c6247980045fcf2a6988a5e15f4925ef8ae
Instruction ID: 3bc7622cbc8e14fbbf1446e4b2a57fc201ec147587ce2c3103bdd7ab10e2bd21
Opcode Fuzzy Hash: 5bf2fe7934fc781272294069d9576c6247980045fcf2a6988a5e15f4925ef8ae
Instruction Fuzzy Hash: 42618270F002189FEB549BA9C914BAEBBF6FF88700F208429E505EB3D5DE758C459B91

Function 06909149 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

$tq, xrefs: 06909203
$tq, xrefs: 069091C8

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq
API String ID: 0-1837209516
Opcode ID: 730fc7111b512388e53b6457f355719ecafb770d0fa176e85f5ec232cc5ab6ad
Instruction ID: fa9f15c37515423e3964578b1287346669d39bcd8fef95c7657e7724d056a814
Opcode Fuzzy Hash: 730fc7111b512388e53b6457f355719ecafb770d0fa176e85f5ec232cc5ab6ad
Instruction Fuzzy Hash: 5E515370B001069FDF95DB78D9907AEB7F6EF88200F108469D80ADB799EA30DD42CB91

Function 068FAF10 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 068FB176

Memory Dump Source

Source File: 00000003.00000002.4135297575.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 03c830bb6e4e502dd02312c0068ec846a1d4f3bc0c5d459c299f198bb2e053d0
Instruction ID: 249e9495287cecd0cf5e2f1dba49067a71ef874571977487390d3c69cf5a4fd2
Opcode Fuzzy Hash: 03c830bb6e4e502dd02312c0068ec846a1d4f3bc0c5d459c299f198bb2e053d0
Instruction Fuzzy Hash: BB816870A10B458FD7A4CF2AD44076ABBF1FF88310F008A2DE69ADBA50D775E945CB91

Function 00F6EA51 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4130861167.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f60000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e0003ec44a3ad85fc1bde746d08069398a2bcce306202b445b6eff80cb1a25
Instruction ID: 0ab666354f1f53c936f0d9e5ee8d671fc222806c6cebe680dd3259c9f73aecaa
Opcode Fuzzy Hash: 45e0003ec44a3ad85fc1bde746d08069398a2bcce306202b445b6eff80cb1a25
Instruction Fuzzy Hash: 9641F372D003958FCB14CF69D4046EEBBF6EF89320F15866AD845E7241EB789844CBE1

Function 068FD0ED Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068FD202

Memory Dump Source

Source File: 00000003.00000002.4135297575.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6128e5cf6bfef4410c80546f675b236bf7192a8cc2b738f7fe720a041175e0fa
Instruction ID: 965ce13abffe6e84f9c344da55a15742a11514585cd210faae73b3f227661206
Opcode Fuzzy Hash: 6128e5cf6bfef4410c80546f675b236bf7192a8cc2b738f7fe720a041175e0fa
Instruction Fuzzy Hash: AD41A0B1D10249DFDB14CF99C884ADEBBB5BF88310F24822AE919AB210D775A945CF90

Function 068FD0F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068FD202

Memory Dump Source

Source File: 00000003.00000002.4135297575.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ef0550d42bac9a1ef7a7344fbcdfec4eec6ce50caaad371fa177edbc92fbf61e
Instruction ID: b8c6db420bdec119399de827d5f280fe90a7a1bead630d55fc991b192c3a763c
Opcode Fuzzy Hash: ef0550d42bac9a1ef7a7344fbcdfec4eec6ce50caaad371fa177edbc92fbf61e
Instruction Fuzzy Hash: 9C4191B1D10349DFDB14CF99C884ADEBBB5FF88310F24812AE919AB210D775A945CF90

Function 068FA5EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 068FF8F1

Memory Dump Source

Source File: 00000003.00000002.4135297575.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 04535e8231b8c54d881dcd927a3543e6459c399d72a154763d5b74ed025ededa
Instruction ID: 802de71a236213a2f7ddb772bd976ade85bbeb4352ae4a920c8a7cf7e245ff28
Opcode Fuzzy Hash: 04535e8231b8c54d881dcd927a3543e6459c399d72a154763d5b74ed025ededa
Instruction Fuzzy Hash: B7415DB4920349DFDB54CF99C448AAEBBF5FF88314F248459D619AB321D734A841CFA0

Function 068F2AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068F2B47

Memory Dump Source

Source File: 00000003.00000002.4135297575.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 25cef701016065982565fac629535a1e6a79e25b7785a545cbeff367e825ba79
Instruction ID: ddd20fad1ac62b2b3fca7c8cad4c285a143006e11831a09e22ac78aa4ed935f2
Opcode Fuzzy Hash: 25cef701016065982565fac629535a1e6a79e25b7785a545cbeff367e825ba79
Instruction Fuzzy Hash: 9C21E3B5D00249DFDB10CFAAD884AEEBBF5EB48320F14841AE918A7310C374A954CF61

Function 068F2AC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068F2B47

Memory Dump Source

Source File: 00000003.00000002.4135297575.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 45df35a90a7180e92147824cf1c98acf11b8d2a15f18a5d3468e08cdf4c46954
Instruction ID: 97e08c757b70a3f316920f40a67ca42961e37f59717338698064af33b52b8ef0
Opcode Fuzzy Hash: 45df35a90a7180e92147824cf1c98acf11b8d2a15f18a5d3468e08cdf4c46954
Instruction Fuzzy Hash: 2821E3B5900249DFDB10CF9AD884ADEBBF8EB48320F14841AE918A7210C374A954CF61

Function 00F6EB38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 00F6EB9F

Memory Dump Source

Source File: 00000003.00000002.4130861167.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f60000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 40ff10b18b21ee6ca131b1b999d5454cb8f976eb0d81e651ea24db7aa2a43578
Instruction ID: 6fcf4f21525b8d4448b7dde170691e4e37154d66fdc0fb49bec75cbf819bd85b
Opcode Fuzzy Hash: 40ff10b18b21ee6ca131b1b999d5454cb8f976eb0d81e651ea24db7aa2a43578
Instruction Fuzzy Hash: EC11E2B1C106599BDB10CF9AC444BDEFBF4EF48320F15816AD818A7240D778A954CFA5

Function 068FB110 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 068FB176

Memory Dump Source

Source File: 00000003.00000002.4135297575.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8ad9aea7b995b2bdab191da84a4d21ae64578d8b019e8bde9a9b5b1cff0cdb8d
Instruction ID: 0b0c88471a19a7b1b8c0a582821fc00e3938dfc71f5db398e4b09d0cc8dec5ab
Opcode Fuzzy Hash: 8ad9aea7b995b2bdab191da84a4d21ae64578d8b019e8bde9a9b5b1cff0cdb8d
Instruction Fuzzy Hash: AC11DFB5C006498FDB10CF9AC844ADEFBF4EF89320F14852AD529B7610C379A545CFA1

Function 06904B60 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

XPyq, xrefs: 06904C9D

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: XPyq
API String ID: 0-2596165108
Opcode ID: f41288ba4e0c3789bac6c3299d742ddce873980df17a5cc15396896c9f9632e6
Instruction ID: d79a4380674fd75a7688d7c7bdce982125f809a663bc1f4d3eb5facdaf4d759a
Opcode Fuzzy Hash: f41288ba4e0c3789bac6c3299d742ddce873980df17a5cc15396896c9f9632e6
Instruction Fuzzy Hash: F351B770B002489FDB549FA9C814B9EBBF6FF88300F20852AE1459B3E5DE749C05DB91

Function 0690DABD Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PHtq, xrefs: 0690DC19

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: PHtq
API String ID: 0-4170314142
Opcode ID: c0e1ddf05c85e99af26ddb8a9b7a710aa8f494bcd4317dd29ec989a9170b72d0
Instruction ID: 8e5e27966512660b14b90dc28da8d3b05c9c4e6e98523141aa427478a4c267b0
Opcode Fuzzy Hash: c0e1ddf05c85e99af26ddb8a9b7a710aa8f494bcd4317dd29ec989a9170b72d0
Instruction Fuzzy Hash: C1418070E0030A9FEF64DFA5C49469EBBB6AF85300F204929E406DB680EF71D946DB91

Function 069021C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHtq, xrefs: 06902303

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: PHtq
API String ID: 0-4170314142
Opcode ID: 18466e85e279978c4584aed422a6f9f315b62471d661d58911a9ad6b31f1622f
Instruction ID: e753d674da6a7df95e8ab7e69de6e4ccfe30065b69af97d730719d3515ef5eee
Opcode Fuzzy Hash: 18466e85e279978c4584aed422a6f9f315b62471d661d58911a9ad6b31f1622f
Instruction Fuzzy Hash: BA31E531B102058FEF58AB78C85876E7BE7AF89200F204828D406DB395EF35DE42D7A1

Function 069082D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$tq, xrefs: 0690831B

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq
API String ID: 0-2018120210
Opcode ID: 958a16c0325fc354a350a754d682d581d15baf6843d7be2c8bc868aeb6329a82
Instruction ID: e8319e5cecd57f8fce337b34a51ac5006b1c3fac6be11239e8ef952ba6ba8aab
Opcode Fuzzy Hash: 958a16c0325fc354a350a754d682d581d15baf6843d7be2c8bc868aeb6329a82
Instruction Fuzzy Hash: 9EF0AF31B01101DFFFA49A59EB9066C77A9EBC8354F244465E905CBAC5E631DE02C751

Function 06902340 Relevance: 1.0, Instructions: 1014COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb7ac14d2ae6a74b37f49ab85d0f54824b51c0e1c929374e1946bf5bb200ffd
Instruction ID: 05795a83525f2b4a2590cb933a2424db842edd55227b5c71a56c3c022928f443
Opcode Fuzzy Hash: deb7ac14d2ae6a74b37f49ab85d0f54824b51c0e1c929374e1946bf5bb200ffd
Instruction Fuzzy Hash: 19923734E002048FEB64DB68C588B5DB7F6EF45314F6488A9D409EBBA5DB35ED85CB80

Function 069061F0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ec0d6e54cf97440c911a63775081f8a2e8eaaabe9a0c93321639f4fc30402e
Instruction ID: 95376ffdf5c52d9029b41703c22ab56b7c30784be52ef6830ef8a77a6585cd24
Opcode Fuzzy Hash: 59ec0d6e54cf97440c911a63775081f8a2e8eaaabe9a0c93321639f4fc30402e
Instruction Fuzzy Hash: 3B6195B1F001124FDF549A7EC88065EBADBAFC4620B254439E80ADB375DE75ED4287D1

Function 069042A1 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0261eaf6b8440ecd67f63a1b1b677a6c5b7dfb1a1506d5209f8f8b172b2e30c2
Instruction ID: 01cc4948f1c0618fb2ec01d924e49b284b28cc3ea6a8be6a74630e18629896ea
Opcode Fuzzy Hash: 0261eaf6b8440ecd67f63a1b1b677a6c5b7dfb1a1506d5209f8f8b172b2e30c2
Instruction Fuzzy Hash: 5B813F74B002069FDF54DF78C55479EB7F6AF89700F208529D50AEB795EA30DC428B51

Function 069045C4 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ed1181380409f9ac756ee2d511876ea1e12a3598a4c965875d73727fc4f1cd
Instruction ID: 29be321b2074aaea891cb9ffd2318b93664e57afb6fef4d2d6f4ed13258e2d57
Opcode Fuzzy Hash: 20ed1181380409f9ac756ee2d511876ea1e12a3598a4c965875d73727fc4f1cd
Instruction Fuzzy Hash: 81916E70E102198FDF64DF68C890B9DB7B1FF89300F208699D549AB381DB70AA85CF90

Function 069045D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c8553aad338204a2e02022c9624a95c4c116b867aadf8aa673f47e61350343
Instruction ID: 4da78279aad6dbb5ca73d0142c35ac57427ee8c3d4386b23215d6cde239d820c
Opcode Fuzzy Hash: 42c8553aad338204a2e02022c9624a95c4c116b867aadf8aa673f47e61350343
Instruction Fuzzy Hash: 2F914E70E102198FDF64DF68C880B9DB7B5FF89300F208599D549AB385DB70AA85CF90

Function 0690FBB8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d501456d6e99720048f4f44bd4a7ad2159c529a4d371f46d8e7c2a56d177201
Instruction ID: 051cbab81d2cd7db853b5135ee7e57ed685afe158accd43b4ad0e391f3769db5
Opcode Fuzzy Hash: 2d501456d6e99720048f4f44bd4a7ad2159c529a4d371f46d8e7c2a56d177201
Instruction Fuzzy Hash: 14611731E00115CFEF64EF78E8542ADBBB6EF84311F20886AE906D7691DB319A55CB80

Function 0690EB1B Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31418962985f51e6488be3a71b974ca7d240a6fc1b2f5370b9b88ff996a23374
Instruction ID: ca54ecef284ef65cd9a5c9d345671d3925435b187be53dcbf2a06893bfee9a3a
Opcode Fuzzy Hash: 31418962985f51e6488be3a71b974ca7d240a6fc1b2f5370b9b88ff996a23374
Instruction Fuzzy Hash: 00714F70A012099FDB54DBA9D990A9DBBF6EF84304F24C82AE405EB795DB30ED46CB50

Function 0690EB28 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb3b0e5e4c20817f8111dbaa1fd24e9323607ba1698859eb492ea8217c1e8d0
Instruction ID: 81e6674ebef422e34e40f68efbdf9e800ba9967c6d743900d03d0d07ff1797b0
Opcode Fuzzy Hash: feb3b0e5e4c20817f8111dbaa1fd24e9323607ba1698859eb492ea8217c1e8d0
Instruction Fuzzy Hash: B1712070E012099FDB54DBA9D990A9DBBF6FF84304F248829E405EB795DB30ED46CB50

Function 0690F968 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f97fcaf44c8e9d8fbec4025d3bd45d9903588e4e902f04da6df0f802867ee5
Instruction ID: 902282b886171307c9aca7d440f7015007b4576ccae065b6ab93c83ae9e23108
Opcode Fuzzy Hash: 80f97fcaf44c8e9d8fbec4025d3bd45d9903588e4e902f04da6df0f802867ee5
Instruction Fuzzy Hash: 0B519274B202049FFFB46678D86472F369ED78A310F30442AE50AC7BD9DA78CD4197A2

Function 0690F978 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e794253ace84b7c17b645ce7920230ac40d85cf5b6bc641bf968676f971fc7
Instruction ID: 36a79463827f45695934aee4bf685aa35ea55a97e837ae487551f96fd8a7b6f1
Opcode Fuzzy Hash: 57e794253ace84b7c17b645ce7920230ac40d85cf5b6bc641bf968676f971fc7
Instruction Fuzzy Hash: 60518070B201049FFFA466BDD96472F369ED789310F30442AE90AC7BD9DA78CD4197A2

Function 06905419 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c93eb1ffdbb4789db5152d81a781f1b33b7107e7f94420308bd421702fcb0e
Instruction ID: 99aeb7d6752c7d413d4090fd9e5f0a862304f4129606634f8c80603b962462eb
Opcode Fuzzy Hash: 78c93eb1ffdbb4789db5152d81a781f1b33b7107e7f94420308bd421702fcb0e
Instruction Fuzzy Hash: 09416F75E006099FEB70CE99D980AAFF7B6FB84310F21492AE116D7A90D330E955CF91

Function 0690D970 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b877e5211eb754aefe6630e7cda9d09b532d4abb17928065d222d93c37ba1e8c
Instruction ID: 19beb26af6d48553221a1f38b55497297daedb6c08f7b11acc7406bad857a058
Opcode Fuzzy Hash: b877e5211eb754aefe6630e7cda9d09b532d4abb17928065d222d93c37ba1e8c
Instruction Fuzzy Hash: D931B670E1160A8FDF14DFA9C99069EBBB5EF85314F208929E405EB641E770E945CB41

Function 0690207B Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafc16b4ecf4e0b51633f60540e18eed6918c448f44de81c3f0ce7d89035d33d
Instruction ID: 00014a58e205536ca8d054ab0ddce0c56251a8b6e2597c8addb5ab30a892cf37
Opcode Fuzzy Hash: aafc16b4ecf4e0b51633f60540e18eed6918c448f44de81c3f0ce7d89035d33d
Instruction Fuzzy Hash: C8318D71E102099FDB58CF64D8A869EB7B6FF89300F108529E906EB780DB71ED46CB50

Function 06902088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ef946590612f4cc5f155bbcda34f22c2e8e3f52d9f64d9460a246a81eea117
Instruction ID: ded4b6f685723e3c0db8abfe041c49af5931dd335915cbbadcce316897b7f8ea
Opcode Fuzzy Hash: a0ef946590612f4cc5f155bbcda34f22c2e8e3f52d9f64d9460a246a81eea117
Instruction Fuzzy Hash: 33319E30E102098FDB58CF64D8A869EB7B6FF89300F108529E906EB780DB71ED42CB50

Function 06903AB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2240466bd345d47c0c1bfad2c5c795a2459896cfa3a89a9ef3958a7c18f515ec
Instruction ID: db067ae54608565a3aa18a3575c4d56f01c457f54c15138f2313230baa83b5f6
Opcode Fuzzy Hash: 2240466bd345d47c0c1bfad2c5c795a2459896cfa3a89a9ef3958a7c18f515ec
Instruction Fuzzy Hash: 64217FB5F106169FEF50DFA9D880AAEBBF5EB48720F108025E905E7380EB34DC008B90

Function 06903AAF Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8014024749b866d958398148d941b29185d0647a91742e01e310fdb785eea2e1
Instruction ID: b0ff5cf0b867fc1e59ac46d6a585f2eccd32fa8b8a2a4b8407f4317675b4b095
Opcode Fuzzy Hash: 8014024749b866d958398148d941b29185d0647a91742e01e310fdb785eea2e1
Instruction Fuzzy Hash: 1F2159B5F106169FEF44DFA9D980BAEBBF5AB48720F108025E905E7385EB34DC018B90

Function 00F1D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4130696777.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f1d000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce26e099e3f7a0d7a12dcd9d8a1a5c1571ddc0b8c17320d49f2fca6d7f2d2e9
Instruction ID: fe2df68979975ee7071eb67692ed5572860410ebedfd425746c5403840e48a11
Opcode Fuzzy Hash: 6ce26e099e3f7a0d7a12dcd9d8a1a5c1571ddc0b8c17320d49f2fca6d7f2d2e9
Instruction Fuzzy Hash: BA213771904204DFDB14DF14D9C0B26BBB5FB88324F34C66DD80A4B24AC336D887DA62

Function 00F1D005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4130696777.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f1d000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87d7747b89bd746b9857f3085b4b8580420e0d1e4fcb4230d4a5e5007980362
Instruction ID: f7acadd33fff52daf2d536a53d1d6c9848fc661ce506a2c05d3dd821940dceac
Opcode Fuzzy Hash: a87d7747b89bd746b9857f3085b4b8580420e0d1e4fcb4230d4a5e5007980362
Instruction Fuzzy Hash: 1D21607150D7C09FD703CB24D990711BF71EB46224F29C5DBD8898F2A7C23A984ADB62

Function 06903BC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ee14d8b07fe63cb66a2cf20e9927e3314b7b2b81eff5d0091f796ff4e3d712
Instruction ID: afcd0170efbdf6fafd410c405cdeabd344607b0d5d64443759e289810776bd29
Opcode Fuzzy Hash: f1ee14d8b07fe63cb66a2cf20e9927e3314b7b2b81eff5d0091f796ff4e3d712
Instruction Fuzzy Hash: 0411A171B004294FEF989A78D8146AE77ABABC8310F008539D80AE7384EE34DC018B90

Function 06904200 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a725286383b500658b598466911e5ba67494c84f55cc0288290fea7748302fb
Instruction ID: 236a2c92a2e4362fc2139d12f6c61cee815c2ce12e21b9ae652253a7c7642d84
Opcode Fuzzy Hash: 4a725286383b500658b598466911e5ba67494c84f55cc0288290fea7748302fb
Instruction Fuzzy Hash: A501F531B011001FDB60D67D9844B1FB7DFDBC9A10F248439E20ADB795E921CC4243A2

Function 0690A311 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9ce468f0f91bdb6ca6b6bb6b3ddaefdce35e7e1ceea4ed6592351badb23e58
Instruction ID: fe313957569603df181106d9af1253bc0f98be9586d9ea5651405d73a575588b
Opcode Fuzzy Hash: 5f9ce468f0f91bdb6ca6b6bb6b3ddaefdce35e7e1ceea4ed6592351badb23e58
Instruction Fuzzy Hash: 9B01B530B142514FDB629A78E85472E77E9EF8B650F24486EE18ACB792EA11DC0187D1

Function 06903878 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44470cc6a2a0f7fb62c21858d7a36657034beb976f53a10cef3e136e50a3bb0
Instruction ID: 6c7cb90b141b2fd7ed0a746d101937d01728f5e87e5374930c38e2fab4338946
Opcode Fuzzy Hash: e44470cc6a2a0f7fb62c21858d7a36657034beb976f53a10cef3e136e50a3bb0
Instruction Fuzzy Hash: 2321E5B1D01259AFCB10CF9AD884ADEFFF8FB48310F10811AE518A7640C7756550CFA5

Function 0690ED99 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a35bbf83f5775c84dbe478917f4622b12594629050e74fb458eee0d05e53ad
Instruction ID: 0500c4075fbf946ca9f054383da0b647a809c26eb05666b98ebb11905e23ca68
Opcode Fuzzy Hash: 10a35bbf83f5775c84dbe478917f4622b12594629050e74fb458eee0d05e53ad
Instruction Fuzzy Hash: 4401D431F100159FDB64DA7C94A4B3B73DEDBC9610F24883EE10ACB381EA62DC028792

Function 06903BAF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9e3a4b86e592226cff5fa01792e69dd070b69b96a360d1de991a376ae888b7
Instruction ID: 4f67f55fff88f97ba3a0094bae401bb4baa98666fd0a651d8f9b499122ba1ce6
Opcode Fuzzy Hash: 3e9e3a4b86e592226cff5fa01792e69dd070b69b96a360d1de991a376ae888b7
Instruction Fuzzy Hash: B501D471B1402A4FEF949A78D8102AF7AEF9BC9200F14453ED909E7284EE60CC0187D1

Function 06903880 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee6c34f0d7a18d79df10124087275b13bde8bc84ef8f05c599d65bb0e58dc0d
Instruction ID: 8b99c7ba9c2250d0be95ef18edf4d407e19852f618b3e20f5c74912088ce05a7
Opcode Fuzzy Hash: aee6c34f0d7a18d79df10124087275b13bde8bc84ef8f05c599d65bb0e58dc0d
Instruction Fuzzy Hash: 2B11C4B1D01259AFDB00CF9AD884ADEFFF8FB48310F10811AE518A7240C374A554CFA5

Function 06904210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2804e1fc5eeb3d5a33d3a501eb130b2f4453b6c9074b844c136da590f5cc109f
Instruction ID: ef8028bbfc210fb5085ad106ed8797a132d9f68d9b55700c163370c2d66b0b22
Opcode Fuzzy Hash: 2804e1fc5eeb3d5a33d3a501eb130b2f4453b6c9074b844c136da590f5cc109f
Instruction Fuzzy Hash: 73016D31B100105FEBA496BD9454B2FB3DEDBC9B10F24883AE60ADBB84E965DC424791

Function 0690EDA8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5c1365007df8830c122ee08bceeed5cddf0aa9708a455bf019ff26a47c5701
Instruction ID: 50c68910e92bd69dfdc874832ab5133bb40bb7cf9962f59aeb2f5e8fea9a6baf
Opcode Fuzzy Hash: 3a5c1365007df8830c122ee08bceeed5cddf0aa9708a455bf019ff26a47c5701
Instruction Fuzzy Hash: A2018131F100154FDF64967D945473F73DEDBC9610F24883AE50AC7781EA65DC024781

Function 0690A320 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e9a6963b937b891ef6671ad89b3df313a204cbcca612282bd444af98efed75
Instruction ID: 36376ae2372485f47fac2b21a0f24027a298231c274ba0d13a031020f83f7523
Opcode Fuzzy Hash: 52e9a6963b937b891ef6671ad89b3df313a204cbcca612282bd444af98efed75
Instruction Fuzzy Hash: B201A430B102104FDB64D67CE85472F73DAEB8E750F608829E10ACB795EA21DC0187C1

Function 06906470 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a5f5805277456b4475c617224bb1415ca15746f265962ba26ec3eaf1875543
Instruction ID: 8f8cbaae3b9d113a76c1059874ce5113563beac9e0d654937f7fe65cad2f9ffb
Opcode Fuzzy Hash: 64a5f5805277456b4475c617224bb1415ca15746f265962ba26ec3eaf1875543
Instruction Fuzzy Hash: 17E06871E05249AFFF40CEB08D9039E7B6DCB02204F3049D5D044C75C2E232C9118340

Non-executed Functions

Function 069076A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$tq, xrefs: 069077D4
$tq, xrefs: 06907B91
$tq, xrefs: 06907C46
$tq, xrefs: 06907805
$tq, xrefs: 06907B9D
$tq, xrefs: 06907C52
$tq, xrefs: 06907C30
$tq, xrefs: 06907C3C
$tq, xrefs: 069077E0
$tq, xrefs: 06907811

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq
API String ID: 0-173664734
Opcode ID: 943878e3896e251bc785a3f61e478d833f5093e1e7b701ac7850e0cd299879e5
Instruction ID: ceabaef471cdf692a7ebb2e555fa29c19bd1f4ac04f79fa4f5f20474914439ad
Opcode Fuzzy Hash: 943878e3896e251bc785a3f61e478d833f5093e1e7b701ac7850e0cd299879e5
Instruction Fuzzy Hash: D5121F70E00219CFDF64DBA5D894A9EB7B6FF88310F208569D40AAB795DB30AD45CF90

Function 0690A948 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$tq, xrefs: 0690AB06
$tq, xrefs: 0690AA99
$tq, xrefs: 0690AAFA
$tq, xrefs: 0690AAA5
$tq, xrefs: 0690AAC4
$tq, xrefs: 0690AA4A
$tq, xrefs: 0690AAD0
$tq, xrefs: 0690AA3E

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq
API String ID: 0-3970889292
Opcode ID: 22fef62883fc020084852270cf3df04ec69a9c91d8860b8b8c3c3bf364e4a160
Instruction ID: fd94ce7ffc8087b346f19808d7e2140d68e58ad2f35c90d9852c01a029735d88
Opcode Fuzzy Hash: 22fef62883fc020084852270cf3df04ec69a9c91d8860b8b8c3c3bf364e4a160
Instruction Fuzzy Hash: 6691AE70A10309DFEF64DB69DA547AEB7B6BF84310F208529E402AB6D6DB349C41CBD0

Function 069070A0 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$tq, xrefs: 06907382
$tq, xrefs: 0690753C
$tq, xrefs: 069075B4
$tq, xrefs: 069073E8
$tq, xrefs: 069075A8
$tq, xrefs: 069073DC

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq$$tq$$tq
API String ID: 0-2574395493
Opcode ID: 8096ef429234b6642442a218a867b0fb8eea811f2a6ff33ec6fa83bde529a0d0
Instruction ID: 6db3c0f309c8631a11ce56982395ce8a881d28bd507f5e5c2a956761a77432c0
Opcode Fuzzy Hash: 8096ef429234b6642442a218a867b0fb8eea811f2a6ff33ec6fa83bde529a0d0
Instruction Fuzzy Hash: 61F17170B01208CFEB54EBA9D854A6EB7B6FF84310F248529D4069F799DF35AC42CB81

Function 069083D8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$tq, xrefs: 06908697
$tq, xrefs: 06908632
$tq, xrefs: 069086A3
$tq, xrefs: 0690863E

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq
API String ID: 0-173548568
Opcode ID: 1474c7687aec16902dc64126a31562684ef8aacbee560d667d1f7ad199c23005
Instruction ID: 776697ccabcd5bc836264b3068f29800452c3804b219e49899213e38a3d42ac6
Opcode Fuzzy Hash: 1474c7687aec16902dc64126a31562684ef8aacbee560d667d1f7ad199c23005
Instruction Fuzzy Hash: 6BB12A70B102098FEF94EBA9D95465EB7B6EF84300F248529D406DB795DB75DC82CB80

Function 0690ACD0 Relevance: 5.2, Strings: 4, Instructions: 173COMMON

Download Yara Rule

Strings

$tq, xrefs: 0690AEAC
$tq, xrefs: 0690AE54
$tq, xrefs: 0690AE01
$tq, xrefs: 0690AE83

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq
API String ID: 0-173548568
Opcode ID: 1bbb800fd610c3a54d4aa8f6e6a15adeaa140b2e9d5f81c7b6ca02de2dad0521
Instruction ID: 48f850f478a6ba244ed245ad3963b0fdd51d5e8ccbaf10c76d96b10961fa03eb
Opcode Fuzzy Hash: 1bbb800fd610c3a54d4aa8f6e6a15adeaa140b2e9d5f81c7b6ca02de2dad0521
Instruction Fuzzy Hash: 38517430A103059FEF65DB64D99066EB7B6EF84311F20892AE806DB796DB34DC41CBD1

Function 069087F0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRtq, xrefs: 06908932
$tq, xrefs: 0690887B
$tq, xrefs: 0690886F
LRtq, xrefs: 069088E3

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: LRtq$LRtq$$tq$$tq
API String ID: 0-1602856738
Opcode ID: 19ec4f5c3d9a7377c05733fa0425eca6547fa8a0dd18d01bcc3631504a6cf04b
Instruction ID: 7fc8957a58d8a9261933a10a7392c68c5678f07df697505a06973f105e2b90d5
Opcode Fuzzy Hash: 19ec4f5c3d9a7377c05733fa0425eca6547fa8a0dd18d01bcc3631504a6cf04b
Instruction Fuzzy Hash: F551C630B102059FEF58EB39DA50A6A77E6FF88314F148969E811DB7D5DA30EC41CB91

Function 0690AD5C Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

$tq, xrefs: 0690AEAC
$tq, xrefs: 0690AE54
$tq, xrefs: 0690AE01
$tq, xrefs: 0690AE83

Memory Dump Source

Source File: 00000003.00000002.4135344771.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_WOOYANG VENUS PARTICULARS.jbxd

Similarity

API ID:
String ID: $tq$$tq$$tq$$tq
API String ID: 0-173548568
Opcode ID: 283e622060ec55cc7252d75e6c236109cdd01911eaa6e08c3dbd68c330cbf10f
Instruction ID: 58b3ec25268599fa753b7e1b50d55f433a0470d3c8974dbd3c53047a3180e518
Opcode Fuzzy Hash: 283e622060ec55cc7252d75e6c236109cdd01911eaa6e08c3dbd68c330cbf10f
Instruction Fuzzy Hash: D1414030B103058FEF65EB68E99057DB7B6EF88310B208529D8169B796DB35DC41CBD1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WOOYANG VENUS PARTICULARS.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WOOYANG VENUS PARTICULARS.pdf.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxv3plo5.1wy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrgadk3f.j20.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjgvwdmp.mdo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzxq2erv.acj.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
WOOYANG VENUS PARTICULARS.pdf.scr.exe

Function 074BBAC8 Relevance: 8.5, Strings: 6, Instructions: 1022
COMMON

Function 074B0460 Relevance: 6.9, Strings: 5, Instructions: 619
COMMON

Function 0760949D Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Function 076094A8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0118B048 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 011844B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 011858EF Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre