Edit tour

Windows Analysis Report
Aclatis tool.exe

Overview

General Information

Sample name:	Aclatis tool.exe
Analysis ID:	1572856
MD5:	1f1d045c85370801e98c4e5a05f0a922
SHA1:	720ede2f5c4f866436be8499642904091c97d3ae
SHA256:	eacbd7f909bc29060a2915065b63543940c4b6a8e84a1bac9b4bf582b4bb6797
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Aclatis tool.exe (PID: 3748 cmdline: "C:\Users\user\Desktop\Aclatis tool.exe" MD5: 1F1D045C85370801E98C4E5A05F0A922)

WerFault.exe (PID: 7360 cmdline: C:\Windows\system32\WerFault.exe -u -p 3748 -s 2864 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Aclatis tool.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Aclatis tool.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2062872915.000001F5F2800000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.1657662049.000001F5D7B44000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Aclatis tool.exe PID: 3748	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.Aclatis tool.exe.1f5f3090000.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Aclatis tool.exe.1f5ea2729a0.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Aclatis tool.exe.1f5ea4f29d8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Aclatis tool.exe.1f5f2800000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Aclatis tool.exe.1f5f2800000.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.Aclatis tool.exe.1f5d79b0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.Aclatis tool.exe.1f5d79b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Aclatis tool.exe.1f5f26f8be0.6.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Aclatis tool.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Machine Learning detection for sample

Source: Aclatis tool.exe

Joe Sandbox ML: detected

Source: Aclatis tool.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 198.54.115.125:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: Aclatis tool.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.pdbkH source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2071944842.000001F5F37D3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\Aclatis tool.PDB= source: Aclatis tool.exe, 00000000.00000002.2037750812.0000000D234E2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: costura.costura.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: costura.plist-cil.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: System.Drawing.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdbHtY source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: C:\Users\VASKE\source\repos\VASKE\MobileDevice\obj\Debug\MobileDevice.pdb source: Aclatis tool.exe, 00000000.00000002.2040130692.000001F5D9EE2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: System.Xml.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: MobileDevice.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2037750812.0000000D234E2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbj source: Aclatis tool.exe, 00000000.00000002.2071944842.000001F5F3720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: C:\Users\VASKE\source\repos\VASKE\MobileDevice\obj\Debug\MobileDevice.pdb\|5 source: Aclatis tool.exe, 00000000.00000002.2040130692.000001F5D9EE2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2071944842.000001F5F378E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2061872560.000001F5F2670000.00000004.00000020.00020000.00000000.sdmp, WERB2FA.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2071944842.000001F5F3720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbX source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2071944842.000001F5F3720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2037750812.0000000D234E2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Acostura.plist-cil.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: costura.plist-cil.pdb.compressed source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pC:\Users\user\Desktop\Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2037750812.0000000D234E2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2037750812.0000000D234E2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERB2FA.tmp.dmp.4.dr

Source: C:\Users\user\Desktop\Aclatis tool.exe

Code function: 4x nop then jmp 00007FFD9B897126h

0_2_00007FFD9B896F1E

Networking

Yara detected Generic Downloader

Source: Yara match	File source: Aclatis tool.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Aclatis tool.exe.1f5f3090000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aclatis tool.exe.1f5ea2729a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aclatis tool.exe.1f5ea4f29d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Aclatis tool.exe.1f5d79b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /icloud/version_check/aclatis_tool.php HTTP/1.1Host: api.dmralawm.comAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /icloud/version_check/aclatis_tool.php HTTP/1.1Host: api.dmralawm.comAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: keyauth.win
Source: global traffic	DNS traffic detected: DNS query: api.dmralawm.com

Source: Aclatis tool.exe, 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA092000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA4F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Aclatis tool.exe, 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA092000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA4F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Aclatis tool.exe, 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA092000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA4F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aclatis tool.exe, 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA092000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA4F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Aclatis tool.exe, 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA092000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA4F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Aclatis tool.exe, 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA092000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA4F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Aclatis tool.exe, 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA092000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA4F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Aclatis tool.exe, 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA092000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA4F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Aclatis tool.exe, 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA092000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA4F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5DA0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5DA0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.dmralawm.com
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5DA0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.dmralawm.com/icloud/version_check/aclatis_tool.php
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/api/licensing.php
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/pricing

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 198.54.115.125:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: Aclatis tool.exe

Static PE information: section name: +14L

PE file has nameless sections

Source: Aclatis tool.exe	Static PE information: section name:
Source: Aclatis tool.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\Aclatis tool.exe

Code function: 0_2_00007FFD9B89F38D NtQueryInformationProcess,

0_2_00007FFD9B89F38D

Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 0_2_00007FFD9B89D172	0_2_00007FFD9B89D172
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 0_2_00007FFD9B89BD1A	0_2_00007FFD9B89BD1A
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 0_2_00007FFD9B89B59D	0_2_00007FFD9B89B59D

Source: C:\Users\user\Desktop\Aclatis tool.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3748 -s 2864

Source: Aclatis tool.exe, 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGuna.UI2.dllD vs Aclatis tool.exe
Source: Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA092000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGuna.UI2.dllD vs Aclatis tool.exe
Source: Aclatis tool.exe, 00000000.00000002.2040130692.000001F5D9EE2000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenameMobileDevice.dll: vs Aclatis tool.exe
Source: Aclatis tool.exe, 00000000.00000002.2055751806.000001F5EA4F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGuna.UI2.dllD vs Aclatis tool.exe

Source: Aclatis tool.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Aclatis tool.exe

Static PE information: Section: +14L ZLIB complexity 1.0003087414089347

Source: 0.2.Aclatis tool.exe.1f5ea2729a0.5.raw.unpack, G22190F0D5B1120504B3E00280003060D0F0F4F3B300802384B21170B1B1507061C3811061E.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Aclatis tool.exe.1f5ea4f29d8.4.raw.unpack, G22190F0D5B1120504B3E00280003060D0F0F4F3B300802384B21170B1B1507061C3811061E.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Aclatis tool.exe.1f5f3090000.8.raw.unpack, G22190F0D5B1120504B3E00280003060D0F0F4F3B300802384B21170B1B1507061C3811061E.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal88.troj.evad.winEXE@2/5@2/1

Source: C:\Users\user\Desktop\Aclatis tool.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3748

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f62550ee-3ca7-48ec-b378-c62400e43140

Jump to behavior

Source: Aclatis tool.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Aclatis tool.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

File read: C:\Users\user\Desktop\Aclatis tool.exe.config

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Aclatis tool.exe "C:\Users\user\Desktop\Aclatis tool.exe"
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3748 -s 2864

Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Aclatis tool.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Aclatis tool.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Aclatis tool.exe

Static file information: File size 8566304 > 1048576

Source: Aclatis tool.exe	Static PE information: Raw size of +14L is bigger than: 0x100000 < 0x190200
Source: Aclatis tool.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x681e00

Source: Aclatis tool.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.pdbkH source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2071944842.000001F5F37D3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\Aclatis tool.PDB= source: Aclatis tool.exe, 00000000.00000002.2037750812.0000000D234E2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: costura.costura.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: costura.plist-cil.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: System.Drawing.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdbHtY source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: C:\Users\VASKE\source\repos\VASKE\MobileDevice\obj\Debug\MobileDevice.pdb source: Aclatis tool.exe, 00000000.00000002.2040130692.000001F5D9EE2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: System.Xml.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: MobileDevice.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2037750812.0000000D234E2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbj source: Aclatis tool.exe, 00000000.00000002.2071944842.000001F5F3720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: C:\Users\VASKE\source\repos\VASKE\MobileDevice\obj\Debug\MobileDevice.pdb\|5 source: Aclatis tool.exe, 00000000.00000002.2040130692.000001F5D9EE2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2071944842.000001F5F378E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2061872560.000001F5F2670000.00000004.00000020.00020000.00000000.sdmp, WERB2FA.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2071944842.000001F5F3720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdbX source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2071944842.000001F5F3720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2037750812.0000000D234E2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Acostura.plist-cil.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: costura.plist-cil.pdb.compressed source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pC:\Users\user\Desktop\Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2037750812.0000000D234E2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2037750812.0000000D234E2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERB2FA.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERB2FA.tmp.dmp.4.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Aclatis tool.exe

Unpacked PE file: 0.2.Aclatis tool.exe.1f5d79b0000.0.unpack +14L:EW;Unknown_Section1:ER;Unknown_Section2:R;.Enigma:EW;UPX:ER;XD.C59B5:R;.UPX:R;.reloc:R; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:EW;Unknown_Section4:ER;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;

Yara detected Costura Assembly Loader

Source: Yara match	File source: Aclatis tool.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Aclatis tool.exe.1f5f2800000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aclatis tool.exe.1f5f2800000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Aclatis tool.exe.1f5d79b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aclatis tool.exe.1f5f26f8be0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062872915.000001F5F2800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1657662049.000001F5D7B44000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aclatis tool.exe PID: 3748, type: MEMORYSTR

Source: Aclatis tool.exe

Static PE information: 0xE52B2DAB [Fri Nov 2 03:23:23 2091 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: UPX

Source: Aclatis tool.exe

Static PE information: real checksum: 0x82eae9 should be: 0x832742

Source: Aclatis tool.exe	Static PE information: section name: +14L
Source: Aclatis tool.exe	Static PE information: section name:
Source: Aclatis tool.exe	Static PE information: section name:
Source: Aclatis tool.exe	Static PE information: section name: .Enigma
Source: Aclatis tool.exe	Static PE information: section name: UPX
Source: Aclatis tool.exe	Static PE information: section name: XD.C59B5
Source: Aclatis tool.exe	Static PE information: section name: .UPX

Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 0_2_00007FFD9B8A7A98 push esp; iretd		0_2_00007FFD9B8A7A99
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 0_2_00007FFD9BBB10DF push FFFFFFF2h; iretd		0_2_00007FFD9BBB10E4

Source: Aclatis tool.exe

Static PE information: section name: +14L entropy: 7.9998957138352

Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Aclatis tool.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Aclatis tool.exe	Memory allocated: 1F5D8510000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Memory allocated: 1F5F1FB0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	File opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Aclatis tool.exe, 00000000.00000002.2061872560.000001F5F2670000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Aclatis tool.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Users\user\Desktop\Aclatis tool.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Users\user\Desktop\MobileDevice.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	13 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Aclatis tool.exe	100%	Avira	HEUR/AGEN.1310356
Aclatis tool.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.dmralawm.com	0%	Avira URL Cloud	safe
https://api.dmralawm.com/icloud/version_check/aclatis_tool.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.0.5	true	false		high
api.dmralawm.com	198.54.115.125	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.dmralawm.com/icloud/version_check/aclatis_tool.php	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.dmralawm.com	Aclatis tool.exe, 00000000.00000002.2040341656.000001F5DA0E2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://www.fontbureau.com/designers	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gunaui.com/api/licensing.php	Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Aclatis tool.exe, 00000000.00000002.2040341656.000001F5DA0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Aclatis tool.exe, 00000000.00000002.2073065666.000001F5F4942000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gunaui.com/	Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gunaui.com/pricing	Aclatis tool.exe, 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.115.125	api.dmralawm.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572856
Start date and time:	2024-12-11 02:24:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Aclatis tool.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@2/5@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 184.30.17.174, 20.190.147.10, 4.245.163.56, 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:25:51	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	CCuITQzvd4.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	file.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	exe004.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	IAdjMfB2A5.exe	Get hash	malicious	XWorm	Browse	104.26.0.5
	SecuriteInfo.com.Win64.Evo-gen.9614.31304.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.Evo-gen.9614.31304.exe	Get hash	malicious	Unknown	Browse	172.67.72.57

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	199.193.6.134
	MN1qo2qaJmEvXDP.exe	Get hash	malicious	FormBook	Browse	199.192.23.123
	qhjKN40R2Q.lnk	Get hash	malicious	Unknown	Browse	162.213.251.221
	https://www.toomanyfailurescannot.com/9IjIRd3	Get hash	malicious	HTMLPhisher	Browse	162.0.236.189
	Document_PDF.vbs	Get hash	malicious	FormBook	Browse	198.54.115.214
	http://url969.uniteddeleverycompany.com/ls/click?upn=u001.H7qy8CwvNpiem-2Bf7DeMFk7YJf68sOidxEWakApUPIOSZg2OY8dbdpgPNdKDwG5r9FFRxGTcDR4Y40gkedjWn5gmaEy2hdp5PhuemKZpyV0zDF4yZB1nSDE1glVUHkAxvk-2Bay1ScD58FIOgYpgYP6N0ScK3-2BfYjxiyiX8IVVnDpwETyB9eFyZIpVwHB3s73fG91OsUU5I5qElZ5zc-2F019KUvyyM6RxeXMegmcNjDutTA-2FnxufBtCMFX4wRkoDOM-2BzzsCiJIoY1mc9q42wLMHiq-2B4vv2-2FqoR1f2l-2BCmuACM5q-2FNbDZQstkQL5-2FH30fC7m19Rn-2BlXgwexRgjH0XwyNE8I2tRC8iv5uAUiLQk1AD6k0bLjsvdQWk9bfnh9YPL7n6nCIBdvs55pyxgyRAhb2C3g-3D-3DzLOu_oNIH2-2FxJ-2FTe1FaVJ1jWIKVy-2BRH8quBB-2F7-2FAZY1zuBa8sYO3A2kRlNC5SRLFjReRDbNAqQc8ija5eyvb3hMHW2LijdhuT99ojcYbvfeVDR6TjM8Iqq-2F4lpz7WKfkjLfs8kULSyk-2BJ2FHXElRwIq2EjJuur8G9AAw0HjpCQ3JV-2F1d4REvZ-2BdaWGeRZa46RgdqnKhZwT4HPC-2Fcr9dZBwLnURfD1x7OZfW9R3B1ZDWRdH1V-2F-2BR-2FWmM6h4NEHHRb9NNBhFNZPaY6piFBOFNOupA2OrFLOTElocKhsbRyDVGAbiBMte7-2BAjR-2BA2H-2F9CP2UREBvDHXsH-2BmlqvAryDrKjjAy8lTbA9nho9WLS1JKeGns5pAqmjv-2FPH8p3m8V8tFEPj2WLqfG6IzXwKcOMYvSrGYkMWMsBKmgc-2Bt-2BOg9a0jxMR-2BByynWcTgKhB44PNmoRQfd9lvEhtXtJnUleVDwJMZbPw60p1K6oxTexhzM9ScXx7kCprkCgMgcfi8rgis43afOn4xM8YRcMg9tIzu64CU7VuKJ-2BMFN5I78-2B8KPrNOjHK5o6ri9rwGpR8XbmEC-2BUi0PISrd7M-2BHCYWlP2o1TBL2OAmqufIzKPL-2F0NYk7NCFq-2BQEFmracNk-2BqqlMZ00PhqEs2JN98lsOxQ6MUbXZMcj-2FhqVBZVN97wkN60D56kJ-2FOQiaa7gW2IP4afUKBiy9Wl-2B0h0QTfxVEz3DZUlxRmNpooAbQL5Uk9Km4liDjAnP-2F9rKBZSc3OZEf33ZNLDn8jMDI2p9XCpZ-2BdDlLCTUAgCLNK0FE-2BJVvF9LYHxIrcC8tpkLszOdDeZHX2xcWm6Lc3y7tQCdb1uaEkAxyHmalygulTA8ODCE0Qj21BBKduU8fdD8C7u4Nqc-2BpJjM-2FhEfOBaq9vq0rNhSs4OVsJ7hESECV5WQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	198.54.116.132
	maybecreatebesthingswithgreatnicewhichgivenbreakingthingstobe.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	162.213.249.216
	https://www.bing.com/ck/a?!&&p=b3ddcc612c5f63024f18df0521265aa33742187d0b01744f07bf6348af8f753eJmltdHM9MTczMzE4NDAwMA&ptn=3&ver=2&hsh=4&fclid=26e9525e-8a77-6109-2437-46988be9608d&psq=superpitmachinery.com&u=a1aHR0cHM6Ly9zdXBlcnBpdG1hY2hpbmVyeS5jb20v&ntb/#fi-weixiang.ong@falconincorporation.com	Get hash	malicious	Unknown	Browse	198.54.116.132
	https://Lakeheadu.hlov.de/Szii3aFWcmivgihoevuc/trTlqgskL4/K3qRQz5Ggziclxgen/t3JiPvu/Szii3aFWcmivgihoevuc/Advising/YSxMdD/lakeheadu.ca/Szii3aFWcmivgihoevuc	Get hash	malicious	HTMLPhisher	Browse	198.54.115.71
	https://fatcriminal.com/jepoeg.zip	Get hash	malicious	LummaC Stealer	Browse	185.61.155.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	198.54.115.125
	751ietQPnX.lnk	Get hash	malicious	RHADAMANTHYS	Browse	198.54.115.125
	l92fYljXWF.lnk	Get hash	malicious	RHADAMANTHYS	Browse	198.54.115.125
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse	198.54.115.125
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse	198.54.115.125
	Richiesta di Indagine sulla Violazione del Copyright lnk.lnk	Get hash	malicious	Unknown	Browse	198.54.115.125
	9coWg6ayLz.msi	Get hash	malicious	Unknown	Browse	198.54.115.125
	UFS0yWUTWR.msi	Get hash	malicious	Unknown	Browse	198.54.115.125
	xrv3PCeWDV.msi	Get hash	malicious	Unknown	Browse	198.54.115.125

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aclatis tool.exe_5577159b2c521b9a52d4f5af22dbf0c878524aea_d7fe8305_d98c4226-7d3a-4342-807f-be0c21fdc2d2\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.416746503984991
Encrypted:	false
SSDEEP:	384:7DexgV3pm5acZvdzaEzQWpgzuiFIY4lO8qkL:7Dexgbm5acZvdzaA/gzuiFIY4lO8qk
MD5:	F720D0A0144218E7ACC90A1D86C2DF7D
SHA1:	418C8BF92B65D2A033EA53B63F3456E2BB79D2BA
SHA-256:	6042042A462E5224AABC0325E82CECBF6665DB515062105142C8461AD036081B
SHA-512:	93027B663D953B3CDA447344E747200CEB2D09E861DD90B059A7678B76BDA171F0434247283BF2D753FBCAB0E953CFF8445229113087A2D0FABBB429AAA2E39E
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.5.3.9.2.8.7.0.4.1.3.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.5.3.9.2.9.8.6.0.3.7.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.8.c.4.2.2.6.-.7.d.3.a.-.4.3.4.2.-.8.0.7.f.-.b.e.0.c.2.1.f.d.c.2.d.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.a.3.6.2.a.0.-.a.3.6.7.-.4.f.8.3.-.8.a.3.8.-.8.6.5.9.2.f.f.7.f.5.3.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.A.c.l.a.t.i.s. .t.o.o.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.c.l.a.t.i.s. .t.o.o.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.a.4.-.0.0.0.1.-.0.0.1.4.-.0.a.f.8.-.3.0.8.7.6.b.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.7.4.f.7.6.c.7.c.3.d.5.2.c.b.7.a.3.6.c.5.4.2.4.7.f.4.5.f.3.8.c.0.0.0.0.0.0.0.0.!.0.0.0.0.7.2.0.e.d.e.2.f.5.c.4.f.8.6.6.4.3.6.b.e.8.4.9.9.6.4.2.9.0.4.0.9.1.c.9.7.d.3.a.e.!.A.c.l.a.t.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2FA.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Dec 11 01:25:29 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1083114
Entropy (8bit):	3.471916620135248
Encrypted:	false
SSDEEP:	6144:+iSIIHMCdap68eBKYVRHEoGTz6IjVxq7u8BgR8bG3QPsqA7GWQ:+iSsCd+6PB3nm2IjVxqalR8CQP35
MD5:	337F01F4814E4F1B88B96F12009FF1CD
SHA1:	0FB25E059ABE550CF968675F9207CD33DA57BBBD
SHA-256:	FDD2BE4050320962977ED4D202D25E570906D55AB94811B623F2B3C2AADA0B96
SHA-512:	F81B0DB839B7CDEA1C3B22C3D3889BD9129FCE2A8ADCE1DF1BB9553F472604C6346D692145929B184B6BC1D50020FDB53C1C7AB59D6E41618D189227D710FE1E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Xg.........................(..........<....4.......F..05......................l.......8...........T................j...........{...........}..............................................................................eJ......8~......Lw......................T.............Xg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB618.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10254
Entropy (8bit):	3.7124969823109
Encrypted:	false
SSDEEP:	192:R6l7wVeJXo70eM6Y9Iv5K0ImgmfZGosxjpr289bgf/fyAm:R6lXJXE0eM6Yyvw0hgmfIosXgnf0
MD5:	D85E017390EF870A959947FDC2F1FCFC
SHA1:	A5104D270A851F4435D36F16B98B5B2B2002826F
SHA-256:	F846FD8DF08E8929DDD3CB16A8210C69D02E14D6E6207D8E135D1AFC2F6D5835
SHA-512:	D0BD96AD611D770B582EFA18ADFC149A1E0443DE19E6966F157143EAE72D6CA30D45EC66A7880D3CA4E69D4E9D953AA6CFEEAE4E09A81C4B59D106EF0FB07842
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB657.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4828
Entropy (8bit):	4.464458766807287
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg771I9ozWpW8VYsYm8M4J6GEIRFSyq8vNGEIGZwb7ejd:uIjfSI7/C7VcJOI2WdIGeb7ejd
MD5:	63984D66D5C4AD2BAA1762077C2B954C
SHA1:	501C170F33D84D708725750633DDF39CD9DD1C5E
SHA-256:	5B12B00D234308C03253691ADAA5764E68E9807577119D6296A8CD627043B5D5
SHA-512:	4A6BF1345301FA696836FF6AF576023709EC2C4F06CE304910254936CB38D3C5B31F91A78D41651BCF134041DE42706BEBAAD96CCF0850F700D0A9A6F9B049B7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="625948" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465683600797112
Encrypted:	false
SSDEEP:	6144:XIXfpi67eLPU9skLmb0b4BWSPKaJG8nAgejZMMhA2gX4WABl0uN6dwBCswSbZw:YXD94BWlLZMM6YFHs+Z
MD5:	F8E38C28F2B3C4CD1198F05081F29C45
SHA1:	AB19BC870A9263609181039359E5CFDC50F4154F
SHA-256:	D924A46085B4C44E631DA66CEB05624CC93562D994535CEFD6482ECB45A00613
SHA-512:	C872B990BB9FDA62922D00DCA9272511234CD0E13592C6609BC17D6D2DEF7B55DCEAFDA552C4B054AB7D6DF3073AD6EDB22126411D3F6EE20F5FDFA5181C7935
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.A.kK.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.996625258055951
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Aclatis tool.exe
File size:	8'566'304 bytes
MD5:	1f1d045c85370801e98c4e5a05f0a922
SHA1:	720ede2f5c4f866436be8499642904091c97d3ae
SHA256:	eacbd7f909bc29060a2915065b63543940c4b6a8e84a1bac9b4bf582b4bb6797
SHA512:	deb844a389d496614025c10cf4f0822ae9945bd6ad12db4dd93be92a2bc4ceaad4841e5e16d57f544c8eb0c7237e9eb61010035b3e1564b170f234dcea8241f6
SSDEEP:	196608:7CNWawNvLSaxmCU8xnbgW31UQ47f9wgIa4z83wZrLkBRA+SJpm:0wJhYAeQ4YYwBOA+SJpm
TLSH:	8E8633A2258DCA6AD1AC63FB92FB715023F4D9F39846D30B77010ED568CA6F10D819F9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-+..........."...0.. h.......... ...@... ....@.. ....................................`................................

File Icon


Icon Hash:	45c88c90ccc4e4e1

Static PE Info

General

Entrypoint:	0xc3200a
Entrypoint Section:	UPX
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE52B2DAB [Fri Nov 2 03:23:23 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00C32000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a4c3c	0x4f
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x816000	0x18215
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x838000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x832000	0x8	UPX
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x194000	0x48
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
+14L	0x2000	0x19015c	0x190200	e47550495858b0d876627d0d6f23e706	False	1.0003087414089347	data	7.9998957138352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x194000	0x681c2c	0x681e00	7d198a0415b792ee83f14d0124efe48a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x816000	0x18215	0x18400	d2fb981ee2ed4c46d2ae4692901908e7	False	0.9692735180412371	data	7.966047155030723	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.Enigma	0x830000	0xa	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX	0x832000	0x10	0x200	894c2680e05c629c0acd1d2cdf678ac5	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
XD.C59B5	0x834000	0x4aa	0x600	c7c91f7a41fa7ed7ad9285f18ba84218	False	0.4615885416666667	data	4.7975099182658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.UPX	0x836000	0x8b	0x200	c391ba0c64258e9d98fe84a6864df69b	False	0.0390625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x838000	0xc	0x200	e8eff65f50619103e8dfd20176391d19	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\203"	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x816130	0x16f4b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9990960043391792
RT_GROUP_ICON	0x82d07c	0x14	Targa image data - Map 32 x 28491 x 1 +1	1.05
RT_VERSION	0x82d090	0x344	data	0.423444976076555
RT_MANIFEST	0x82d3d4	0xe41	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.39599890380926284

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 02:25:20.436858892 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:25:20.436897993 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:25:20.436971903 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:25:20.452205896 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:25:20.452219009 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:25:21.990557909 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:25:21.990668058 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:25:21.994268894 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:25:21.994280100 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:25:21.994519949 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:25:22.047952890 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:25:22.091331959 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:25:22.545926094 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:25:22.545994997 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:25:22.546101093 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:25:22.559000969 CET	49732	443	192.168.2.4	198.54.115.125

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 02:25:15.937051058 CET	50420	53	192.168.2.4	1.1.1.1
Dec 11, 2024 02:25:16.172261000 CET	53	50420	1.1.1.1	192.168.2.4
Dec 11, 2024 02:25:19.574529886 CET	56357	53	192.168.2.4	1.1.1.1
Dec 11, 2024 02:25:20.000370026 CET	53	56357	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 11, 2024 02:25:15.937051058 CET	192.168.2.4	1.1.1.1	0x89e2	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false
Dec 11, 2024 02:25:19.574529886 CET	192.168.2.4	1.1.1.1	0x823	Standard query (0)	api.dmralawm.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 11, 2024 02:25:16.172261000 CET	1.1.1.1	192.168.2.4	0x89e2	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Dec 11, 2024 02:25:16.172261000 CET	1.1.1.1	192.168.2.4	0x89e2	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Dec 11, 2024 02:25:16.172261000 CET	1.1.1.1	192.168.2.4	0x89e2	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false
Dec 11, 2024 02:25:20.000370026 CET	1.1.1.1	192.168.2.4	0x823	No error (0)	api.dmralawm.com	198.54.115.125	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.dmralawm.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	198.54.115.125	443	3748	C:\Users\user\Desktop\Aclatis tool.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 01:25:22 UTC	135	OUT	GET /icloud/version_check/aclatis_tool.php HTTP/1.1 Host: api.dmralawm.com Accept-Encoding: gzip, deflate Connection: Keep-Alive
2024-12-11 01:25:22 UTC	242	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 content-type: text/html; charset=UTF-8 content-length: 3 date: Wed, 11 Dec 2024 01:25:22 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close
2024-12-11 01:25:22 UTC	3	IN	Data Raw: 31 2e 34 Data Ascii: 1.4

Target ID:	0
Start time:	20:25:13
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\Aclatis tool.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Aclatis tool.exe"
Imagebase:	0x1f5d79b0000
File size:	8'566'304 bytes
MD5 hash:	1F1D045C85370801E98C4E5A05F0A922
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2069140580.000001F5F3090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2040341656.000001F5D9FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2062872915.000001F5F2800000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1657662049.000001F5D7B44000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:25:28
Start date:	10/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3748 -s 2864
Imagebase:	0x7ff63d430000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	18.8%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9B89F38D Relevance: 1.7, APIs: 1, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 00007FFD9B89F4C5

Memory Dump Source

Source File: 00000000.00000002.2082808153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_Aclatis tool.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e4da6bb7b9ce6b024638253fa19dc331ce45e0d6a0df65017ec4f6d380ff2647
Instruction ID: 802406dab0cd9a71fd4ef33cfc2720808eeba200aece58f58bd7776c636cd4a5
Opcode Fuzzy Hash: e4da6bb7b9ce6b024638253fa19dc331ce45e0d6a0df65017ec4f6d380ff2647
Instruction Fuzzy Hash: 7E51EF70A08A1C8FDBA8DF58D895BE9BBB1FB69310F1041AED44DE3251DA30A984CF44

Function 00007FFD9B89BD1A Relevance: .7, Instructions: 707
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2082808153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9611d9db553a0db6259ffb9fb07cb5502cbfec76bafb5abf9e56530b1e134e9
Instruction ID: 392f774676b5b03c511304311158447b1342552536232d5c7daf8a8db6dfc03f
Opcode Fuzzy Hash: d9611d9db553a0db6259ffb9fb07cb5502cbfec76bafb5abf9e56530b1e134e9
Instruction Fuzzy Hash: 8F323D70A19A8D8FEBB8DF18C8697E937E1FF59301F00416AD84DC76A1DB755680CB41

Function 00007FFD9B89D172 Relevance: .7, Instructions: 667
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2082808153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887a2e610846ad08d3d3d577a8010bb4de1581d4a830ef2b32b6e9a2bf4d2f9b
Instruction ID: 746a0c66dd6c96f956b101884501a5e8b9b347b48534b39af763f26883d90a68
Opcode Fuzzy Hash: 887a2e610846ad08d3d3d577a8010bb4de1581d4a830ef2b32b6e9a2bf4d2f9b
Instruction Fuzzy Hash: 19322B70A19A8D8FDBB8EF18C865BE937E1FB58301F10416AD84DCB6A1DB749684CB41

Function 00007FFD9B8A1345 Relevance: 1.7, APIs: 1, Instructions: 216
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFD9B8A1466

Memory Dump Source

Source File: 00000000.00000002.2082808153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_Aclatis tool.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 92155309cfd3144d114cc88180058c631d48f25d6432d2b3f27975ac2f2cfe35
Instruction ID: eac7b59a00e6aa90344f2b853f4c64e68437ce81e9e2e8ffbd410171bb8cd4f9
Opcode Fuzzy Hash: 92155309cfd3144d114cc88180058c631d48f25d6432d2b3f27975ac2f2cfe35
Instruction Fuzzy Hash: 2D519B7090870C8FDB58EF98C895AEDBBF0FF19300F1042AAD449E7251DB34A981CB81

Function 00007FFD9B892C35 Relevance: 1.7, APIs: 1, Instructions: 211
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFD9B892D96

Memory Dump Source

Source File: 00000000.00000002.2082808153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_Aclatis tool.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a5fc7af5e6c54c8e514b8c5ad529f92bf01e91e13dde97c349809c2b6f558789
Instruction ID: 318a7b18c0150f6f8c0ae229dd40b96103035d34996a75573343bebaffbcac1e
Opcode Fuzzy Hash: a5fc7af5e6c54c8e514b8c5ad529f92bf01e91e13dde97c349809c2b6f558789
Instruction Fuzzy Hash: D6518E70909B4D8FDB58DF98C8A5AEDBBF0FF2A314F1001AAD449D7252DB30A945CB41

Function 00007FFD9B896B21 Relevance: 1.7, APIs: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFD9B896C1A

Memory Dump Source

Source File: 00000000.00000002.2082808153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_Aclatis tool.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: dfd9c0ea71d5cedb585f84a724e55705d290823ce1310bb0a377094d5f25f95e
Instruction ID: 82f7d34bdc10b7080f06cc0bf2f67c8bd8e897ade311841b98628ac0f921d512
Opcode Fuzzy Hash: dfd9c0ea71d5cedb585f84a724e55705d290823ce1310bb0a377094d5f25f95e
Instruction Fuzzy Hash: 14514A70908A5C8FDB59DFA8D858BEDBBF0FB5A310F1041AED049E7252DB749985CB40

Function 00007FFD9B892895 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFD9B896C1A

Memory Dump Source

Source File: 00000000.00000002.2082808153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_Aclatis tool.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e3f7aeb97907b05c21cb6ffea193991f6c985a19345073d88f4e1fd8536c481d
Instruction ID: f0c1a449460b7ca913a36cca34f5cfd1d1fb630c967e3fe20c74fa7b5998a826
Opcode Fuzzy Hash: e3f7aeb97907b05c21cb6ffea193991f6c985a19345073d88f4e1fd8536c481d
Instruction Fuzzy Hash: 11512870E08A5C8FDB58DF98D859BADBBF1FB59310F20416ED009E7251DB74A986CB40

Function 00007FFD9B8A15A9 Relevance: 1.4, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FFD9B8A1672

Memory Dump Source

Source File: 00000000.00000002.2082808153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_Aclatis tool.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8e57c00edb2d479bdd13a18b15c8d7e7a67aa270d9049e2cd6f16cc0d095c04e
Instruction ID: 53e8cf9d2ead3990fb21e95245f0bf529094ce1575f0acff04cac42df7f99115
Opcode Fuzzy Hash: 8e57c00edb2d479bdd13a18b15c8d7e7a67aa270d9049e2cd6f16cc0d095c04e
Instruction Fuzzy Hash: 5F410870E08A4C8FDB98DF98D895BEDBBF0EB5A310F1041AAD049E7252DA709885CB41

Function 00007FFD9B9D5804 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cf8e4dec380cb682920377800af1691d3bc721ea1c24db99c1c3876f5bf56c
Instruction ID: cc336ba4adbac5f03aaf3ed67f8ad92e5b67e63e6855359cfde0cb7c2902e393
Opcode Fuzzy Hash: d9cf8e4dec380cb682920377800af1691d3bc721ea1c24db99c1c3876f5bf56c
Instruction Fuzzy Hash: 5741B874E0A1698FDB69EF64C8696A9B7F1FF58300F1585EAD01DA7291CF346A80CF40

Function 00007FFD9B9D5E36 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a940131cc9497234e062eb6d9f16752e178dbc86f8f7fa2c93621900cb7ff26
Instruction ID: 64cdd6b48e7e6701140786773178575d0783d89f44e6ba0cd5d6c089ab9bcecd
Opcode Fuzzy Hash: 7a940131cc9497234e062eb6d9f16752e178dbc86f8f7fa2c93621900cb7ff26
Instruction Fuzzy Hash: 77414D70F0912E8FDB68EFA4C8645A9B7B1FF49300F0005FAD01EA7695CA346A80CF51

Function 00007FFD9B9D0955 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14100d956d25388717fa6b03472190fceca5ba0b769c93edb13db69b75d798b8
Instruction ID: 80bc8647bd7cce607afa08ea02d4c11461542e5e90f73a30980b3d1f3612a370
Opcode Fuzzy Hash: 14100d956d25388717fa6b03472190fceca5ba0b769c93edb13db69b75d798b8
Instruction Fuzzy Hash: 4F410C70E0951D8BEB68EF55C8649A9B7B2FF58300F0081F9D01DE72A5DB36AA91CF40

Function 00007FFD9B9D0617 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf044f62ddf0ebf2146bafc9cf068a111156ea38a140ecdfcd0bdb3d38a1d0c3
Instruction ID: d983b6eb48b4e7ae848fe27549504f306ec48201d1e8630276e3eb582d95c118
Opcode Fuzzy Hash: cf044f62ddf0ebf2146bafc9cf068a111156ea38a140ecdfcd0bdb3d38a1d0c3
Instruction Fuzzy Hash: 5D412C70E0551E8FDB68EF64D8A85ADB7B1FF58300F1146FAD00DA72A6DA316A81CF40

Function 00007FFD9B9D07B8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67908aabdf50bc6e61aa4e278f84a9f718b97a74bf813da430e22e7baa64cb6
Instruction ID: f748f82a20aea9de58a63ac4fe6473ae5c1c4d43524b55aaf845587c75646309
Opcode Fuzzy Hash: a67908aabdf50bc6e61aa4e278f84a9f718b97a74bf813da430e22e7baa64cb6
Instruction Fuzzy Hash: 1C41F070A1951A8FDB68EFA4C4656BDB3B1FF58300F1181FAD00EA7295DE346A81CF50

Function 00007FFD9B9D36BD Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8875a0da8bd71929fd367b6e6f79a8a64892ade1e414857bec29ce6e0e30b428
Instruction ID: 250532bcbfb40baa5b41818f72cd44f6f16e7227ad95d06a6d810b493adcb44c
Opcode Fuzzy Hash: 8875a0da8bd71929fd367b6e6f79a8a64892ade1e414857bec29ce6e0e30b428
Instruction Fuzzy Hash: 8241FE70E1965DCFDB68EF64C8656A9B7B1FF58310F0046FAD00E97291DA346A80CF50

Function 00007FFD9B9D0AE7 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd376ed8ffd1da21f41d80c6b02099372406f5149ac3770bc62125d76790d1f
Instruction ID: 1fef77404adbadfd9fdeaf528ea7bfbae637f4c6cb729f032efd7de189eecb55
Opcode Fuzzy Hash: 1cd376ed8ffd1da21f41d80c6b02099372406f5149ac3770bc62125d76790d1f
Instruction Fuzzy Hash: B5413070E14A1D8FEB68EF64C8659AEB7B1FF58301F0145F9901DA7296CE346A80CF44

Function 00007FFD9B9D0C83 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfb18117466fb0392ba91a60794a797232b13344babbced95203b532549ba1c
Instruction ID: 9ac85d3ead85b5c4ded1331a0756593b57905278036aed4f0ac79a861ce9eaee
Opcode Fuzzy Hash: ccfb18117466fb0392ba91a60794a797232b13344babbced95203b532549ba1c
Instruction Fuzzy Hash: 9E41ED70D1855E8BDB68EFA4C8656BDB7B1FF58300F1085FAD01EA7296CA346A81CF50

Function 00007FFD9B9D386B Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c484fa59143c52ffb82c0f43d490d962c8ffe77f6cf2cb58cf851afb4b984ed
Instruction ID: 3f912ba98d823b6b7d6379017e83fe4ccfc5808cb1c8fdf5dcc39d8f7a06a7c8
Opcode Fuzzy Hash: 1c484fa59143c52ffb82c0f43d490d962c8ffe77f6cf2cb58cf851afb4b984ed
Instruction Fuzzy Hash: 52410070E1912E8FEB68EF64C865AA9B7B1FF48300F0045FAD01D97291CE746A81CF50

Function 00007FFD9B9D2EB2 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19355ab0aaac8c4c3167b2b1d813f4778a668318c9e7b0b739dee604cc88d4f
Instruction ID: 5b8b59a7cbea4ee40b09369c2d837fbb758c2869e5b521bda45eed3a12d921e6
Opcode Fuzzy Hash: f19355ab0aaac8c4c3167b2b1d813f4778a668318c9e7b0b739dee604cc88d4f
Instruction Fuzzy Hash: 59410A70E1951D9BDB68EFA8C8A56B9B7B1FF58300F1045EBD01EA3291DA346E81CF50

Function 00007FFD9B9D615E Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c97d4da1e759ee5400c3fee8509376f3cf9c7964f7c7667baf3e203b1f2be84
Instruction ID: 5ed3aa4e86c318144d4a6791df0e614ce130ebe792b51a68d21b10103882d387
Opcode Fuzzy Hash: 2c97d4da1e759ee5400c3fee8509376f3cf9c7964f7c7667baf3e203b1f2be84
Instruction Fuzzy Hash: EB415070F1852D8FDB64EFA5C8646A9B3B1FF99300F0041EAD01EA7695CB346A80CF55

Function 00007FFD9B9D0772 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2fddf85598f56d2044d665aa36bab4ed2ef26ba503bb0f4079955f34058f525
Instruction ID: df750d65a1860f9a48dbf6c98a34d52b9db2bc44ae8408c64c052cc8cdbeba75
Opcode Fuzzy Hash: f2fddf85598f56d2044d665aa36bab4ed2ef26ba503bb0f4079955f34058f525
Instruction Fuzzy Hash: 3541FB70E085198BEB68EF55C8649A9B7B2FF48300F1185F9D01DA72A5DB36AA91CF40

Function 00007FFD9BBB02EE Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2086215326.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbb0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7873492e3646f05f9fb118c2980f5a7c898b802aebd0b84dadfc7132793dc4
Instruction ID: 5c4c4c6b868a92626b1a1536347fbcf60e9868d90f67033cd2acc6ecba2cd999
Opcode Fuzzy Hash: 0e7873492e3646f05f9fb118c2980f5a7c898b802aebd0b84dadfc7132793dc4
Instruction Fuzzy Hash: 3841EE70E4952D8FEB29DF65C865AE9B7B2BF58300F0001E9D01DA7291DE30AA81CF44

Function 00007FFD9B9D6432 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6cb23590bc51e739d0442793266df509b224902d7ef8bfe88e22af6e1dffb9
Instruction ID: 912f9d025bf2f7122327c1c9fe887d8a0e6c6fcb5dcf288f0beb277b2d534d8f
Opcode Fuzzy Hash: 2d6cb23590bc51e739d0442793266df509b224902d7ef8bfe88e22af6e1dffb9
Instruction Fuzzy Hash: DD4130B0E0912D8FDB68EF94C8646A9B7B1FF59300F0045FAD01EA7691CA346AC0CF55

Function 00007FFD9B9D3208 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084290051.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f4a794c46bc521b30edb18bd19c3b3e4e7683a44262e55df66d71dab3f855a
Instruction ID: a8665f96743433b9eeb9fc4abaa30d658fd96d2100d47e47b60b4f193a8ace77
Opcode Fuzzy Hash: 14f4a794c46bc521b30edb18bd19c3b3e4e7683a44262e55df66d71dab3f855a
Instruction Fuzzy Hash: DE31ED70E0851E8BEB68EF65C865AE9B7B1FF58300F0045FAD51EA7295CE746A80CF50

Non-executed Functions

Function 00007FFD9B89B59D Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082808153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6ffb68552a563ac535d6a29242290dc2161e0f42d3bb14a290024c8bbb81f3
Instruction ID: 83886f1d96a0a9cf82d3a0a3a87309bf5cfdc8a45a647e0dd1aa7e45c214d2bb
Opcode Fuzzy Hash: 7e6ffb68552a563ac535d6a29242290dc2161e0f42d3bb14a290024c8bbb81f3
Instruction Fuzzy Hash: F0223C70A19A8D8FDBB8EF28C865BE937E1FF59311F00416AD85EC72A1DB745680CB41

Function 00007FFD9B896F1E Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082808153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0529f618b3909b414a3cdd497ee18f3eb0a41eb3d674220d2a6299b09922876
Instruction ID: fc34f72c7a0edf4b8252828eecf0f17810c5e38ae8a94a8390fc2370591395e9
Opcode Fuzzy Hash: f0529f618b3909b414a3cdd497ee18f3eb0a41eb3d674220d2a6299b09922876
Instruction Fuzzy Hash: BD81C770908A8D8FEFA8DF68C855BE97BE0FF19350F10426AE84DC7291DB749585CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Aclatis tool.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aclatis tool.exe_5577159b2c521b9a52d4f5af22dbf0c878524aea_d7fe8305_d98c4226-7d3a-4342-807f-be0c21fdc2d2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2FA.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB618.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB657.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Aclatis tool.exe

Function 00007FFD9B89F38D Relevance: 1.7, APIs: 1, Instructions: 180
nativeCOMMON

Function 00007FFD9B89BD1A Relevance: .7, Instructions: 707
COMMON

Function 00007FFD9B89D172 Relevance: .7, Instructions: 667
COMMON

Function 00007FFD9B8A1345 Relevance: 1.7, APIs: 1, Instructions: 216
memoryCOMMON

Function 00007FFD9B892C35 Relevance: 1.7, APIs: 1, Instructions: 211
memoryCOMMON

Function 00007FFD9B896B21 Relevance: 1.7, APIs: 1, Instructions: 158
COMMON

Function 00007FFD9B892895 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Function 00007FFD9B8A15A9 Relevance: 1.4, APIs: 1, Instructions: 130
COMMON