Edit tour

Windows Analysis Report
Aclatis tool.exe

Overview

General Information

Sample name:	Aclatis tool.exe
Analysis ID:	1572856
MD5:	1f1d045c85370801e98c4e5a05f0a922
SHA1:	720ede2f5c4f866436be8499642904091c97d3ae
SHA256:	eacbd7f909bc29060a2915065b63543940c4b6a8e84a1bac9b4bf582b4bb6797
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Aclatis tool.exe (PID: 3084 cmdline: "C:\Users\user\Desktop\Aclatis tool.exe" MD5: 1F1D045C85370801E98C4E5A05F0A922)

WerFault.exe (PID: 4588 cmdline: C:\Windows\system32\WerFault.exe -u -p 3084 -s 5608 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Aclatis tool.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Aclatis tool.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2394841899.0000012BEA190000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.1680525496.0000012BE7524000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Aclatis tool.exe PID: 3084	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.Aclatis tool.exe.12beaa70000.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Aclatis tool.exe.12b905422f8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Aclatis tool.exe.12bea190000.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Aclatis tool.exe.12bea190000.6.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.Aclatis tool.exe.12be7390000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.Aclatis tool.exe.12be7390000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Aclatis tool.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: Aclatis tool.exe

Joe Sandbox ML: detected

Source: Aclatis tool.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 198.54.115.125:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: Aclatis tool.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdbD source: WER661D.tmp.dmp.4.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDB57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.pdb` source: WER661D.tmp.dmp.4.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: ^&indoC:\Windows\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2376141520.000000265E1D2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2376141520.000000265E1D2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: costura.plist-cil.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: System.Drawing.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb+z source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDB57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER661D.tmp.dmp.4.dr
Source:	Binary string: C:\Users\VASKE\source\repos\VASKE\MobileDevice\obj\Debug\MobileDevice.pdb source: Aclatis tool.exe, 00000000.00000002.2394587885.0000012BEA0C2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: System.Xml.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: MobileDevice.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER661D.tmp.dmp.4.dr
Source:	Binary string: ^&pC:\Users\user\Desktop\Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2376141520.000000265E1D2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: C:\Users\VASKE\source\repos\VASKE\MobileDevice\obj\Debug\MobileDevice.pdb\|5 source: Aclatis tool.exe, 00000000.00000002.2394587885.0000012BEA0C2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2393693325.0000012BEA07C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDAF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbfz source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDB57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb/ source: WER661D.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\Aclatis tool.PDB=@ source: Aclatis tool.exe, 00000000.00000002.2376141520.000000265E1D2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDAF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ool.PDB source: Aclatis tool.exe, 00000000.00000002.2376141520.000000265E1D2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDBB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: Acostura.plist-cil.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: costura.plist-cil.pdb.compressed source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER661D.tmp.dmp.4.dr

Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], 00000000h	0_2_00007FFD9B89D415
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 4x nop then jmp 00007FFD9B89C1C1h	0_2_00007FFD9B89B461
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 4x nop then jmp 00007FFD9B89CF82h	0_2_00007FFD9B89B461
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 4x nop then jmp 00007FFD9B89CF81h	0_2_00007FFD9B89B461
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], 00000000h	0_2_00007FFD9B89D430
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 4x nop then jmp 00007FFD9B887126h	0_2_00007FFD9B886F1E
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], 00000000h	0_2_00007FFD9B89D4D3

Networking

Yara detected Generic Downloader

Source: Yara match	File source: Aclatis tool.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Aclatis tool.exe.12beaa70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aclatis tool.exe.12b905422f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Aclatis tool.exe.12be7390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /icloud/version_check/aclatis_tool.php HTTP/1.1Host: api.dmralawm.comAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /icloud/version_check/aclatis_tool.php HTTP/1.1Host: api.dmralawm.comAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: keyauth.win
Source: global traffic	DNS traffic detected: DNS query: api.dmralawm.com

Source: Aclatis tool.exe, 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B90542000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B9006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Aclatis tool.exe, 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B90542000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B9006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Aclatis tool.exe, 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B90542000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B9006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aclatis tool.exe, 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B90542000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B9006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Aclatis tool.exe, 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B90542000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B9006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Aclatis tool.exe, 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B90542000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B9006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Aclatis tool.exe, 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B90542000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B9006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Aclatis tool.exe, 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B90542000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B9006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Aclatis tool.exe, 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B90542000.00000004.00000800.00020000.00000000.sdmp, Aclatis tool.exe, 00000000.00000002.2384048400.0000012B9006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B800D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B800D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.dmralawm.com
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B800D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.dmralawm.com/icloud/version_check/aclatis_tool.php
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/api/licensing.php
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/pricing

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 198.54.115.125:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: Aclatis tool.exe

Static PE information: section name: +14L

PE file has nameless sections

Source: Aclatis tool.exe	Static PE information: section name:
Source: Aclatis tool.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\Aclatis tool.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Aclatis tool.exe

Code function: 0_2_00007FFD9B88F38D NtQueryInformationProcess,

0_2_00007FFD9B88F38D

Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 0_2_00007FFD9B88D172	0_2_00007FFD9B88D172
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 0_2_00007FFD9B88BD1A	0_2_00007FFD9B88BD1A
Source: C:\Users\user\Desktop\Aclatis tool.exe	Code function: 0_2_00007FFD9B88B59D	0_2_00007FFD9B88B59D

Source: C:\Users\user\Desktop\Aclatis tool.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3084 -s 5608

Source: Aclatis tool.exe, 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGuna.UI2.dllD vs Aclatis tool.exe
Source: Aclatis tool.exe, 00000000.00000002.2384048400.0000012B90542000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGuna.UI2.dllD vs Aclatis tool.exe
Source: Aclatis tool.exe, 00000000.00000002.2384048400.0000012B9006A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGuna.UI2.dllD vs Aclatis tool.exe
Source: Aclatis tool.exe, 00000000.00000002.2394587885.0000012BEA0C2000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenameMobileDevice.dll: vs Aclatis tool.exe

Source: Aclatis tool.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Aclatis tool.exe

Static PE information: Section: +14L ZLIB complexity 1.0003087414089347

Source: 0.2.Aclatis tool.exe.12b905422f8.1.raw.unpack, G22190F0D5B1120504B3E00280003060D0F0F4F3B300802384B21170B1B1507061C3811061E.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Aclatis tool.exe.12beaa70000.7.raw.unpack, G22190F0D5B1120504B3E00280003060D0F0F4F3B300802384B21170B1B1507061C3811061E.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal92.troj.evad.winEXE@2/5@2/1

Source: C:\Users\user\Desktop\Aclatis tool.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3084

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1ca8c6c9-1ad6-44e4-9932-58236c573aa0

Jump to behavior

Source: Aclatis tool.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Aclatis tool.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

File read: C:\Users\user\Desktop\Aclatis tool.exe.config

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Aclatis tool.exe "C:\Users\user\Desktop\Aclatis tool.exe"
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3084 -s 5608

Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Aclatis tool.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Aclatis tool.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Aclatis tool.exe

Static file information: File size 8566304 > 1048576

Source: Aclatis tool.exe	Static PE information: Raw size of +14L is bigger than: 0x100000 < 0x190200
Source: Aclatis tool.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x681e00

Source: Aclatis tool.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdbD source: WER661D.tmp.dmp.4.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDB57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.pdb` source: WER661D.tmp.dmp.4.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: ^&indoC:\Windows\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2376141520.000000265E1D2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2376141520.000000265E1D2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: costura.plist-cil.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: System.Drawing.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb+z source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDB57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER661D.tmp.dmp.4.dr
Source:	Binary string: C:\Users\VASKE\source\repos\VASKE\MobileDevice\obj\Debug\MobileDevice.pdb source: Aclatis tool.exe, 00000000.00000002.2394587885.0000012BEA0C2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: System.Xml.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: MobileDevice.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER661D.tmp.dmp.4.dr
Source:	Binary string: ^&pC:\Users\user\Desktop\Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2376141520.000000265E1D2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: C:\Users\VASKE\source\repos\VASKE\MobileDevice\obj\Debug\MobileDevice.pdb\|5 source: Aclatis tool.exe, 00000000.00000002.2394587885.0000012BEA0C2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2393693325.0000012BEA07C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Aclatis tool.PDB source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDAF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbfz source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDB57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb/ source: WER661D.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\Aclatis tool.PDB=@ source: Aclatis tool.exe, 00000000.00000002.2376141520.000000265E1D2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDAF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ool.PDB source: Aclatis tool.exe, 00000000.00000002.2376141520.000000265E1D2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Aclatis tool.exe, 00000000.00000002.2407710536.0000012BEDBB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: Acostura.plist-cil.pdb.compressed source: Aclatis tool.exe
Source:	Binary string: costura.plist-cil.pdb.compressed source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER661D.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER661D.tmp.dmp.4.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Aclatis tool.exe

Unpacked PE file: 0.2.Aclatis tool.exe.12be7390000.4.unpack +14L:EW;Unknown_Section1:ER;Unknown_Section2:R;.Enigma:EW;UPX:ER;XD.C59B5:R;.UPX:R;.reloc:R; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:EW;Unknown_Section4:ER;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;

Yara detected Costura Assembly Loader

Source: Yara match	File source: Aclatis tool.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Aclatis tool.exe.12bea190000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aclatis tool.exe.12bea190000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Aclatis tool.exe.12be7390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2394841899.0000012BEA190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1680525496.0000012BE7524000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aclatis tool.exe PID: 3084, type: MEMORYSTR

Source: Aclatis tool.exe

Static PE information: 0xE52B2DAB [Fri Nov 2 03:23:23 2091 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: UPX

Source: Aclatis tool.exe

Static PE information: real checksum: 0x82eae9 should be: 0x832742

Source: Aclatis tool.exe	Static PE information: section name: +14L
Source: Aclatis tool.exe	Static PE information: section name:
Source: Aclatis tool.exe	Static PE information: section name:
Source: Aclatis tool.exe	Static PE information: section name: .Enigma
Source: Aclatis tool.exe	Static PE information: section name: UPX
Source: Aclatis tool.exe	Static PE information: section name: XD.C59B5
Source: Aclatis tool.exe	Static PE information: section name: .UPX

Source: C:\Users\user\Desktop\Aclatis tool.exe

Code function: 0_2_00007FFD9BBB50DE push esp; iretd

0_2_00007FFD9BBB50E0

Source: Aclatis tool.exe

Static PE information: section name: +14L entropy: 7.9998957138352

Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Aclatis tool.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Aclatis tool.exe	Memory allocated: 12BE7F00000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Memory allocated: 12BE97F0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	File opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Window / User API: threadDelayed 351

Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Last function: Thread delayed

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Aclatis tool.exe, 00000000.00000002.2393693325.0000012BE9FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[[
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Aclatis tool.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Aclatis tool.exe

Code function: 0_2_00007FFD9B89D415 CheckRemoteDebuggerPresent,

0_2_00007FFD9B89D415

Source: C:\Users\user\Desktop\Aclatis tool.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Users\user\Desktop\Aclatis tool.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Users\user\Desktop\MobileDevice.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aclatis tool.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Aclatis tool.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	13 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	331 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Aclatis tool.exe	100%	Avira	HEUR/AGEN.1310356
Aclatis tool.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.dmralawm.com/icloud/version_check/aclatis_tool.php	0%	Avira URL Cloud	safe
https://api.dmralawm.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.0.5	true	false		high
api.dmralawm.com	198.54.115.125	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.dmralawm.com/icloud/version_check/aclatis_tool.php	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.dmralawm.com	Aclatis tool.exe, 00000000.00000002.2376605761.0000012B800D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://www.fontbureau.com/designers	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gunaui.com/api/licensing.php	Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Aclatis tool.exe, 00000000.00000002.2376605761.0000012B800D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Aclatis tool.exe, 00000000.00000002.2404078320.0000012BEBFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gunaui.com/	Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gunaui.com/pricing	Aclatis tool.exe, 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.115.125	api.dmralawm.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572856
Start date and time:	2024-12-11 02:30:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Aclatis tool.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@2/5@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212, 184.30.17.174, 4.245.163.56, 20.190.181.23, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	CCuITQzvd4.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	file.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	exe004.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	IAdjMfB2A5.exe	Get hash	malicious	XWorm	Browse	104.26.0.5
	SecuriteInfo.com.Win64.Evo-gen.9614.31304.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	199.193.6.134
	MN1qo2qaJmEvXDP.exe	Get hash	malicious	FormBook	Browse	199.192.23.123
	qhjKN40R2Q.lnk	Get hash	malicious	Unknown	Browse	162.213.251.221
	https://www.toomanyfailurescannot.com/9IjIRd3	Get hash	malicious	HTMLPhisher	Browse	162.0.236.189
	Document_PDF.vbs	Get hash	malicious	FormBook	Browse	198.54.115.214
	http://url969.uniteddeleverycompany.com/ls/click?upn=u001.H7qy8CwvNpiem-2Bf7DeMFk7YJf68sOidxEWakApUPIOSZg2OY8dbdpgPNdKDwG5r9FFRxGTcDR4Y40gkedjWn5gmaEy2hdp5PhuemKZpyV0zDF4yZB1nSDE1glVUHkAxvk-2Bay1ScD58FIOgYpgYP6N0ScK3-2BfYjxiyiX8IVVnDpwETyB9eFyZIpVwHB3s73fG91OsUU5I5qElZ5zc-2F019KUvyyM6RxeXMegmcNjDutTA-2FnxufBtCMFX4wRkoDOM-2BzzsCiJIoY1mc9q42wLMHiq-2B4vv2-2FqoR1f2l-2BCmuACM5q-2FNbDZQstkQL5-2FH30fC7m19Rn-2BlXgwexRgjH0XwyNE8I2tRC8iv5uAUiLQk1AD6k0bLjsvdQWk9bfnh9YPL7n6nCIBdvs55pyxgyRAhb2C3g-3D-3DzLOu_oNIH2-2FxJ-2FTe1FaVJ1jWIKVy-2BRH8quBB-2F7-2FAZY1zuBa8sYO3A2kRlNC5SRLFjReRDbNAqQc8ija5eyvb3hMHW2LijdhuT99ojcYbvfeVDR6TjM8Iqq-2F4lpz7WKfkjLfs8kULSyk-2BJ2FHXElRwIq2EjJuur8G9AAw0HjpCQ3JV-2F1d4REvZ-2BdaWGeRZa46RgdqnKhZwT4HPC-2Fcr9dZBwLnURfD1x7OZfW9R3B1ZDWRdH1V-2F-2BR-2FWmM6h4NEHHRb9NNBhFNZPaY6piFBOFNOupA2OrFLOTElocKhsbRyDVGAbiBMte7-2BAjR-2BA2H-2F9CP2UREBvDHXsH-2BmlqvAryDrKjjAy8lTbA9nho9WLS1JKeGns5pAqmjv-2FPH8p3m8V8tFEPj2WLqfG6IzXwKcOMYvSrGYkMWMsBKmgc-2Bt-2BOg9a0jxMR-2BByynWcTgKhB44PNmoRQfd9lvEhtXtJnUleVDwJMZbPw60p1K6oxTexhzM9ScXx7kCprkCgMgcfi8rgis43afOn4xM8YRcMg9tIzu64CU7VuKJ-2BMFN5I78-2B8KPrNOjHK5o6ri9rwGpR8XbmEC-2BUi0PISrd7M-2BHCYWlP2o1TBL2OAmqufIzKPL-2F0NYk7NCFq-2BQEFmracNk-2BqqlMZ00PhqEs2JN98lsOxQ6MUbXZMcj-2FhqVBZVN97wkN60D56kJ-2FOQiaa7gW2IP4afUKBiy9Wl-2B0h0QTfxVEz3DZUlxRmNpooAbQL5Uk9Km4liDjAnP-2F9rKBZSc3OZEf33ZNLDn8jMDI2p9XCpZ-2BdDlLCTUAgCLNK0FE-2BJVvF9LYHxIrcC8tpkLszOdDeZHX2xcWm6Lc3y7tQCdb1uaEkAxyHmalygulTA8ODCE0Qj21BBKduU8fdD8C7u4Nqc-2BpJjM-2FhEfOBaq9vq0rNhSs4OVsJ7hESECV5WQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	198.54.116.132
	maybecreatebesthingswithgreatnicewhichgivenbreakingthingstobe.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	162.213.249.216
	https://www.bing.com/ck/a?!&&p=b3ddcc612c5f63024f18df0521265aa33742187d0b01744f07bf6348af8f753eJmltdHM9MTczMzE4NDAwMA&ptn=3&ver=2&hsh=4&fclid=26e9525e-8a77-6109-2437-46988be9608d&psq=superpitmachinery.com&u=a1aHR0cHM6Ly9zdXBlcnBpdG1hY2hpbmVyeS5jb20v&ntb/#fi-weixiang.ong@falconincorporation.com	Get hash	malicious	Unknown	Browse	198.54.116.132
	https://Lakeheadu.hlov.de/Szii3aFWcmivgihoevuc/trTlqgskL4/K3qRQz5Ggziclxgen/t3JiPvu/Szii3aFWcmivgihoevuc/Advising/YSxMdD/lakeheadu.ca/Szii3aFWcmivgihoevuc	Get hash	malicious	HTMLPhisher	Browse	198.54.115.71

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	198.54.115.125
	751ietQPnX.lnk	Get hash	malicious	RHADAMANTHYS	Browse	198.54.115.125
	l92fYljXWF.lnk	Get hash	malicious	RHADAMANTHYS	Browse	198.54.115.125
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse	198.54.115.125
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse	198.54.115.125
	Richiesta di Indagine sulla Violazione del Copyright lnk.lnk	Get hash	malicious	Unknown	Browse	198.54.115.125
	9coWg6ayLz.msi	Get hash	malicious	Unknown	Browse	198.54.115.125
	UFS0yWUTWR.msi	Get hash	malicious	Unknown	Browse	198.54.115.125

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aclatis tool.exe_5577159b2c521b9a52d4f5af22dbf0c878524aea_d7fe8305_a59ff790-2bff-4d5a-bd48-1bcc99adcb10\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4165262439006563
Encrypted:	false
SSDEEP:	384:JDefgVmpm5acZvdzaEzQWpgzuiFvY4lO8qkL:JDefgam5acZvdzaA/gzuiFvY4lO8qk
MD5:	2965B7F8EF36D3F322D546688D5C82B1
SHA1:	393C0EE5D05AFA36C4B397AE3A2452458160F0F5
SHA-256:	98B233779A14D60FB72C39A6A4FF7DD3E2337946CACC47DFF6BFA16BDF1F0A98
SHA-512:	3A07EEF43E729DFD5B42A4BC978E80D46F8A49488BABA50551555EBD65261DA49DC04CFEA81504B1E2261B606F42FE846B0AA1B66578EC974A4FDC617DD00ACA
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.5.4.2.9.7.5.2.2.0.1.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.5.4.2.9.9.2.2.5.1.3.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.9.f.f.7.9.0.-.2.b.f.f.-.4.d.5.a.-.b.d.4.8.-.1.b.c.c.9.9.a.d.c.b.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.e.7.b.d.5.e.-.5.9.e.5.-.4.c.f.d.-.9.7.6.c.-.b.a.6.4.8.b.f.7.6.0.8.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.A.c.l.a.t.i.s. .t.o.o.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.c.l.a.t.i.s. .t.o.o.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.0.c.-.0.0.0.1.-.0.0.1.4.-.2.b.a.0.-.f.f.6.3.6.c.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.7.4.f.7.6.c.7.c.3.d.5.2.c.b.7.a.3.6.c.5.4.2.4.7.f.4.5.f.3.8.c.0.0.0.0.0.0.0.0.!.0.0.0.0.7.2.0.e.d.e.2.f.5.c.4.f.8.6.6.4.3.6.b.e.8.4.9.9.6.4.2.9.0.4.0.9.1.c.9.7.d.3.a.e.!.A.c.l.a.t.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER661D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Dec 11 01:31:38 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1131836
Entropy (8bit):	3.466701443399564
Encrypted:	false
SSDEEP:	6144:CFat6cGv4mMp7o2vbH72IeR85YWcLYjjgPqIitBgR8szZJx3Q316l+G:CO6cGv4To22W5YugqI5R8kZfQ3E
MD5:	EA0129580D11AC53CA3047A883251D51
SHA1:	DFE2CCC459060930A83827ADA824A7195B26DF18
SHA-256:	7423B753D99E59685B295F3697F3A5D75FADE995CDA49B9535F0B77BDACD4765
SHA-512:	18EDFB94954545E44BD188FDA542F371B7E44250EF69429586227907199557CA1CC2DEB63A0669A5512137C8D2B816259DE644D157C63B66F76D9076BCE7A725
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......z.Xg.........................(..........<....4.......F...5......D...............l.......8...........T............f..4............{..........p}..............................................................................eJ.......~......Lw......................T...........l.Xg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B5E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10256
Entropy (8bit):	3.7121511399407714
Encrypted:	false
SSDEEP:	192:R6l7wVeJYoygYe6Y9llvWQgmfZGosxAprp89b1FtZlf0jHm:R6lXJYdgYe6Y/lvZgmfIosl1Ft7fH
MD5:	2AA58AFADF8EE368A5D8EB1E1B0182D8
SHA1:	F9BB03650B5EA520833B1B67736FA32EC6FD144B
SHA-256:	2F737864F3B3CB6C4B4DB1F0FE9D0978B3490989FEA74133EA58DBC0EA62A04C
SHA-512:	7EFC32DDE19596ED5D34C8118AC8D592E75992E513C4FEFCBCD95E1ACF15477B54E27B05E517D909B51FDBDA09DD6577230E0D47C7E1F0922F231E2774D9133C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B8E.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4828
Entropy (8bit):	4.458691747644802
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg771I9xGWpW8VYVPYm8M4J6GEIRFzyq8vNGEIvb7ehed:uIjfTI7GH7VMSJOIHWdIvb7ehed
MD5:	91B59BB02B99DC938F86D00EF2C00E16
SHA1:	9F40E1C937C4A51CA0A66F960F46441BF9EE011C
SHA-256:	5A36A6F2960129F968E35E5AE6EE8A1B98C24816C1FDB79D1D178E2401C55855
SHA-512:	14448B66E6D169A1739AF45D6B873DC5C28B5BB86D6B1EDDD13A126FB9D41E0CFDC17D0445FEBB9801FF6777A5C1AD6C3CEDE6C8B7730BE1DF40A53067D85253
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="625954" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465663667035671
Encrypted:	false
SSDEEP:	6144:9IXfpi67eLPU9skLmb0b49WSPKaJG8nAgejZMMhA2gX4WABl0uN6dwBCswSbZS:uXD949WlLZMM6YFHs+Z
MD5:	D71EDD04C08F4A8AD6A0D8C916C2478E
SHA1:	A0F5DD6CB4BB23C97D4498C616CF6ACD6E2C117E
SHA-256:	30E5BEE33D47CD2D62C214B272E24D098E6F3828EA66334640E1ECA25D3BFF74
SHA-512:	B55BD90A38D58C124FDF1D73960BF011E87AEABD2E4DDB7EA054B3C6E06062520610151C8DB1808C3ECFC25F3116E4421ABF5B86894C4FE01E03B1B3898284F1
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmb5.klK................................................................................................................................................................................................................................................................................................................................................_........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.996625258055951
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Aclatis tool.exe
File size:	8'566'304 bytes
MD5:	1f1d045c85370801e98c4e5a05f0a922
SHA1:	720ede2f5c4f866436be8499642904091c97d3ae
SHA256:	eacbd7f909bc29060a2915065b63543940c4b6a8e84a1bac9b4bf582b4bb6797
SHA512:	deb844a389d496614025c10cf4f0822ae9945bd6ad12db4dd93be92a2bc4ceaad4841e5e16d57f544c8eb0c7237e9eb61010035b3e1564b170f234dcea8241f6
SSDEEP:	196608:7CNWawNvLSaxmCU8xnbgW31UQ47f9wgIa4z83wZrLkBRA+SJpm:0wJhYAeQ4YYwBOA+SJpm
TLSH:	8E8633A2258DCA6AD1AC63FB92FB715023F4D9F39846D30B77010ED568CA6F10D819F9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-+..........."...0.. h.......... ...@... ....@.. ....................................`................................

File Icon


Icon Hash:	45c88c90ccc4e4e1

Static PE Info

General

Entrypoint:	0xc3200a
Entrypoint Section:	UPX
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE52B2DAB [Fri Nov 2 03:23:23 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00C32000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a4c3c	0x4f
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x816000	0x18215
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x838000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x832000	0x8	UPX
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x194000	0x48
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
+14L	0x2000	0x19015c	0x190200	e47550495858b0d876627d0d6f23e706	False	1.0003087414089347	data	7.9998957138352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x194000	0x681c2c	0x681e00	7d198a0415b792ee83f14d0124efe48a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x816000	0x18215	0x18400	d2fb981ee2ed4c46d2ae4692901908e7	False	0.9692735180412371	data	7.966047155030723	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.Enigma	0x830000	0xa	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX	0x832000	0x10	0x200	894c2680e05c629c0acd1d2cdf678ac5	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
XD.C59B5	0x834000	0x4aa	0x600	c7c91f7a41fa7ed7ad9285f18ba84218	False	0.4615885416666667	data	4.7975099182658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.UPX	0x836000	0x8b	0x200	c391ba0c64258e9d98fe84a6864df69b	False	0.0390625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x838000	0xc	0x200	e8eff65f50619103e8dfd20176391d19	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\203"	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x816130	0x16f4b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9990960043391792
RT_GROUP_ICON	0x82d07c	0x14	Targa image data - Map 32 x 28491 x 1 +1	1.05
RT_VERSION	0x82d090	0x344	data	0.423444976076555
RT_MANIFEST	0x82d3d4	0xe41	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.39599890380926284

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 02:31:29.882474899 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:31:29.882508039 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:31:29.882577896 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:31:29.893729925 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:31:29.893743992 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:31:31.432018042 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:31:31.432121992 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:31:31.435233116 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:31:31.435245037 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:31:31.435462952 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:31:31.524708033 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:31:31.534327984 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:31:31.579344034 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:31:31.989324093 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:31:31.989382982 CET	443	49732	198.54.115.125	192.168.2.4
Dec 11, 2024 02:31:31.989465952 CET	49732	443	192.168.2.4	198.54.115.125
Dec 11, 2024 02:31:31.996965885 CET	49732	443	192.168.2.4	198.54.115.125

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 02:31:26.698633909 CET	53479	53	192.168.2.4	1.1.1.1
Dec 11, 2024 02:31:26.845523119 CET	53	53479	1.1.1.1	192.168.2.4
Dec 11, 2024 02:31:29.643915892 CET	62212	53	192.168.2.4	1.1.1.1
Dec 11, 2024 02:31:29.861053944 CET	53	62212	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 11, 2024 02:31:26.698633909 CET	192.168.2.4	1.1.1.1	0xd871	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false
Dec 11, 2024 02:31:29.643915892 CET	192.168.2.4	1.1.1.1	0x123e	Standard query (0)	api.dmralawm.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 11, 2024 02:31:26.845523119 CET	1.1.1.1	192.168.2.4	0xd871	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Dec 11, 2024 02:31:26.845523119 CET	1.1.1.1	192.168.2.4	0xd871	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Dec 11, 2024 02:31:26.845523119 CET	1.1.1.1	192.168.2.4	0xd871	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false
Dec 11, 2024 02:31:29.861053944 CET	1.1.1.1	192.168.2.4	0x123e	No error (0)	api.dmralawm.com	198.54.115.125	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.dmralawm.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	198.54.115.125	443	3084	C:\Users\user\Desktop\Aclatis tool.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 01:31:31 UTC	135	OUT	GET /icloud/version_check/aclatis_tool.php HTTP/1.1 Host: api.dmralawm.com Accept-Encoding: gzip, deflate Connection: Keep-Alive
2024-12-11 01:31:31 UTC	242	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 x-powered-by: PHP/7.2.34 content-type: text/html; charset=UTF-8 content-length: 3 date: Wed, 11 Dec 2024 01:31:31 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close
2024-12-11 01:31:31 UTC	3	IN	Data Raw: 31 2e 34 Data Ascii: 1.4

Target ID:	0
Start time:	20:31:24
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\Aclatis tool.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Aclatis tool.exe"
Imagebase:	0x12be7390000
File size:	8'566'304 bytes
MD5 hash:	1F1D045C85370801E98C4E5A05F0A922
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2376605761.0000012B80001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2401147676.0000012BEAA70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2394841899.0000012BEA190000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1680525496.0000012BE7524000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:31:37
Start date:	10/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3084 -s 5608
Imagebase:	0x7ff693f00000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40%
Total number of Nodes:	15
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B89D415 Relevance: 2.0, APIs: 1, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a42e736805c712ce91defb31f715d834457638eda07f94c429ddce57e1ba48
Instruction ID: 6e583fe28251dfafe0f3ad3e924adbaccba7b9bbaa5845c0ef9ac457d128a2ac
Opcode Fuzzy Hash: 52a42e736805c712ce91defb31f715d834457638eda07f94c429ddce57e1ba48
Instruction Fuzzy Hash: 78F17F62E0F6C99FEB15DBA898655ECBFB0FF56310F0841BBC098870E3DA25A545C784

Function 00007FFD9B89D430 Relevance: 2.0, APIs: 1, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a62064437546f33fc1ac3dc700e939cf116d09dd5f61d04d43d13d6299632d5
Instruction ID: b14844749b829f0a75a83e73adfa3a099b66f68c3fed3a39ee3492f49688d8fd
Opcode Fuzzy Hash: 9a62064437546f33fc1ac3dc700e939cf116d09dd5f61d04d43d13d6299632d5
Instruction Fuzzy Hash: 42E19062E0F6CA9FEB15DBA898655E8BFB0FF56310F0841BBC09C870D3DA25A545C784

Function 00007FFD9B89D4D3 Relevance: 2.0, APIs: 1, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFD9B89D838

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 1af3253d53db45d04db646e777e336467cf331c398f5bc29e30804cbb4e98251
Instruction ID: 38500d8e37cf4b3994fa0b0ebfe05864fec0966667693597b19cb8329f668413
Opcode Fuzzy Hash: 1af3253d53db45d04db646e777e336467cf331c398f5bc29e30804cbb4e98251
Instruction Fuzzy Hash: 08E1A162E0E69A9FEB159BA89C255ECBFB0FF16314F0841BBC09C870D3DE15A545C784

Function 00007FFD9B89B461 Relevance: 1.9, Instructions: 1921
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27dfb18f19080dd9eccbc9c0156b0fe9ff8e3e79d3d7524a441f897e06f66cc5
Instruction ID: 9f5a39d4760644ea33e4f6c1ff2d96e316df4f6f3e4be8423be6ba26d77f49df
Opcode Fuzzy Hash: 27dfb18f19080dd9eccbc9c0156b0fe9ff8e3e79d3d7524a441f897e06f66cc5
Instruction Fuzzy Hash: 1D03A670E09A2D8FDB64EB68C8656E8B7B1EF59301F5041EAD01DE72A1CE356E81CF41

Function 00007FFD9B88F38D Relevance: 1.7, APIs: 1, Instructions: 182
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 00007FFD9B88F4C5

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 36f9b749ca79564ef354364008c082761c9ba85294afc15fcb2d62522a9901bb
Instruction ID: 49782253814307b31189280c97fd28bd72e3affb0ab634888c117afc407006d0
Opcode Fuzzy Hash: 36f9b749ca79564ef354364008c082761c9ba85294afc15fcb2d62522a9901bb
Instruction Fuzzy Hash: 05510270A08A1C8FDBA8DF58D895BE9BBF1FB69310F1051AED44DE3251DA30A985CF44

Function 00007FFD9B88BD1A Relevance: .7, Instructions: 711
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e37949ef5e049669bd3844f088da6b9cc98bb49d900f9fee9e29fb9e21e0ec
Instruction ID: 2c9588f20ef4b585f7cd880c3839f9c662970f3721f8abd8d2a727f1ac9464b4
Opcode Fuzzy Hash: a2e37949ef5e049669bd3844f088da6b9cc98bb49d900f9fee9e29fb9e21e0ec
Instruction Fuzzy Hash: F3325F70A09A8D8FDBB8DF18C869BE937E1FF59301F00416AD85ECB2A1DB745680CB41

Function 00007FFD9B88D172 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a3fe1c039b2d324a25a14ec225ca33f890ed89397e49d7e3495b3a04a42901
Instruction ID: 443f25b693a73647040d8f521f45ea92edaac28918033eb350d4c9424739afe9
Opcode Fuzzy Hash: 07a3fe1c039b2d324a25a14ec225ca33f890ed89397e49d7e3495b3a04a42901
Instruction Fuzzy Hash: B8323B70A19A8D8FDBB8EF18C865BE937E1FB58311F10416ED85DCB2A1DB749640CB41

Function 00007FFD9B882C35 Relevance: 1.7, APIs: 1, Instructions: 212
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFD9B882D96

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4efa1611c9878029f663a906d2b4c14b7e1b014e607b9eb3e9b85704824a0e70
Instruction ID: 54e3c1c7083b75672eeb36e8d3d1f15eb1a52207f9decfc1ad7493b4005f5bd3
Opcode Fuzzy Hash: 4efa1611c9878029f663a906d2b4c14b7e1b014e607b9eb3e9b85704824a0e70
Instruction Fuzzy Hash: CE619070908B4D8FDB54EF98C895AEDBBF1FF6A310F1141AAC449D7292DA30A985CB41

Function 00007FFD9B891358 Relevance: 1.7, APIs: 1, Instructions: 174
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFD9B891466

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e40016990bd0e4a69791ab2b7eac49f9ed58a89dfa291488f9fc8984c40a0d7d
Instruction ID: 6a3891812d9943d1c0ead3d3eac1c1ca0f07e79c07ddff3e89d543ef12674899
Opcode Fuzzy Hash: e40016990bd0e4a69791ab2b7eac49f9ed58a89dfa291488f9fc8984c40a0d7d
Instruction Fuzzy Hash: 44512670918B1C8FDB58DF98C885AEDBBF1FB69314F10426ED44AE3251DB70A981CB81

Function 00007FFD9B882895 Relevance: 1.7, APIs: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda02fe2d14dc6c726e2e810e77de499de0f68880143493ead0e6fc53a1ee03d
Instruction ID: 28dd356d7f4521fb2729b461482f095b0b690f216b8684099aa5dadfe7156300
Opcode Fuzzy Hash: cda02fe2d14dc6c726e2e810e77de499de0f68880143493ead0e6fc53a1ee03d
Instruction Fuzzy Hash: 7E513B70E08A5C8FEB58DF98D859BADBBF1FB59310F10416ED009E7252DB74A946CB40

Function 00007FFD9B886B21 Relevance: 1.7, APIs: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFD9B886C1A

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 851241d52af29297a7dd2e46a9d4c4fadd90472d768cabae9942ebbc61326817
Instruction ID: 18a696b84004f550312e45737ec61cee5fd1dd32a42186611e2dd360812e70c3
Opcode Fuzzy Hash: 851241d52af29297a7dd2e46a9d4c4fadd90472d768cabae9942ebbc61326817
Instruction Fuzzy Hash: 2D515C70908A4C8FDB58DFA8D858BEDBBF1FB5A310F10416ED049E7262DB749845CB00

Function 00007FFD9B8961A1 Relevance: 1.4, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FFD9B896272

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 97fca0c8921103800e9b6421f7ae500ad29e5ab6d52f6134af7abea3770ef703
Instruction ID: 225e891f6062a0b6a78176fadf06e6d75f1d3da2f337d7b0f94c2459c12f2cd6
Opcode Fuzzy Hash: 97fca0c8921103800e9b6421f7ae500ad29e5ab6d52f6134af7abea3770ef703
Instruction Fuzzy Hash: 2E412970A0864C8FDB98DF98D895BEDBBF0FB5A310F1041AED04DE7252DA70A846CB41

Function 00007FFD9B9D5E18 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49381e9d1588c4fc39eba108b38e8494a302c339930162aeeafe551611c39ba7
Instruction ID: 1b65c8c399155856733e574b706769832e877ec7d515437332b0f99296f97462
Opcode Fuzzy Hash: 49381e9d1588c4fc39eba108b38e8494a302c339930162aeeafe551611c39ba7
Instruction Fuzzy Hash: CF512D70F0951E8FDB68EFA4C8649A9B7B1FF49300F1045EAD01EA7695CA356E80CF61

Function 00007FFD9B9D57EC Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578352006359c9d1b12090002c2822acf80de42c4cef638ae9a3bd5782abb230
Instruction ID: 1d6ed4c5706b00fae76de2fcbcf978dc5e8aeb3b8f1b237f7f51a47b79caf2a2
Opcode Fuzzy Hash: 578352006359c9d1b12090002c2822acf80de42c4cef638ae9a3bd5782abb230
Instruction Fuzzy Hash: D751FC74E0A2598FEB69EF54C8696A9B7F1FF48300F1585EAD01DA7291CF346A80CF50

Function 00007FFD9B9D6140 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4266f69f7862cb25a047c437af98405050fb1a807f73a161a14119bc8abb37
Instruction ID: 75602b2cd89948c52d05562a536286471157314d44f5dab4a6fc909b5a724b4c
Opcode Fuzzy Hash: 8e4266f69f7862cb25a047c437af98405050fb1a807f73a161a14119bc8abb37
Instruction Fuzzy Hash: 06415F70E0961D8FDB64EFA8C8646A9B7B1FF99300F0045EAD01EA7695CB346A80CF15

Function 00007FFD9B9D6414 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93bd3fe7af5c9e990a1d16cba1c9bb73287f9f2f644fc06e62b2265ccc949b1c
Instruction ID: d0c7c58c397275c088ea30a4322242d2a782eaca17221f3c7a3779c06df27c4d
Opcode Fuzzy Hash: 93bd3fe7af5c9e990a1d16cba1c9bb73287f9f2f644fc06e62b2265ccc949b1c
Instruction Fuzzy Hash: 9D415F70E0911D8FDB68EFA4C8646A9B7B1FF59300F1046FAC01DE7695CA346A80CF61

Function 00007FFD9B9D0955 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85387079d514a48799c304a260d0f9d6f68143af3dfb23c5968cff15a4ab2c1
Instruction ID: 94713c2bcab1fe591ca32e16dd5ecf5aee79cc8bb0a4c98c9f2056236723275a
Opcode Fuzzy Hash: d85387079d514a48799c304a260d0f9d6f68143af3dfb23c5968cff15a4ab2c1
Instruction Fuzzy Hash: 2541E970A0951D8FEB68EF54C8649A9B7B2FF58300F0081F9D01DE72A5DA366A91CF40

Function 00007FFD9B9D1CBC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6411e831015eb72110e21af683f12912745a3d1fff197160aee77d85cfe11883
Instruction ID: 4ac29cfb2018fc9a2ab6a69ee9f6d03d20df46d62565fc33f9a87dbb6a93fe92
Opcode Fuzzy Hash: 6411e831015eb72110e21af683f12912745a3d1fff197160aee77d85cfe11883
Instruction Fuzzy Hash: 9541FB70E15A2D8FDB68EF54CC646AEB7B2FF59302F0045EAD00D972A1DA306A808F54

Function 00007FFD9B9D0617 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28904f4601ab0ab89ba837bb0eb885e15cf7ef587c7cd352e37426aa6d869aaf
Instruction ID: d77c4df1837ecd530e9fb69011f3ca497248c09ed23edb57475b5f39a3f2ae2f
Opcode Fuzzy Hash: 28904f4601ab0ab89ba837bb0eb885e15cf7ef587c7cd352e37426aa6d869aaf
Instruction Fuzzy Hash: 8F412B70E0551E8FDB68EF54D8A85ADB7B1FF58300F1146FAD01EA72A6DA316A81CF40

Function 00007FFD9B9D07B8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf8fea35d39fca79a767a391c12b10214c20dc40da667c8a4e497ef7eb64fcf
Instruction ID: a10be0eab0623873dcd87f77b9b3a36b5046545be6fa24eab09b4ada3e73eb34
Opcode Fuzzy Hash: 3bf8fea35d39fca79a767a391c12b10214c20dc40da667c8a4e497ef7eb64fcf
Instruction Fuzzy Hash: 4741F070A1951A8FDB68EF94C4656BDB7B1FF58300F1181FAD00EA7295DE346A81CF50

Function 00007FFD9B9D36BD Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d029f297a482bb9c602c68dcd51535f0b0f6e356781477137d0f39df9d7b2525
Instruction ID: 1c3d1966e6edf3dec7a3144dc014dd9fcd052a742358f64b2678397716b4d642
Opcode Fuzzy Hash: d029f297a482bb9c602c68dcd51535f0b0f6e356781477137d0f39df9d7b2525
Instruction Fuzzy Hash: 6841FC70E1965DCFDB68EF64C8656A9B7B1FF58310F0046FAD00EA7291DA386A80CF50

Function 00007FFD9B9D12E0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6779e57d29ccefab63405988402f9d45b4ba30989703221e8c7a2ec128135bca
Instruction ID: 5ca0ac9e9da2a7e4b554181a7d8d4c3224233dc286ce599085e12770c86022b2
Opcode Fuzzy Hash: 6779e57d29ccefab63405988402f9d45b4ba30989703221e8c7a2ec128135bca
Instruction Fuzzy Hash: E5414F70E1915A8FDB64FFA4C8615A9B7B2FF68300F1041FAD01DAB2A2DE756980CF50

Function 00007FFD9B9D0AE7 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67411da6f06f8179d249c42831f4fefb195f50cf50f3c1b98a446b5804214d7f
Instruction ID: 494bf17223fd5e7ed1ba4aca7d069fc634880bc4e089c84c3fd32555153cc77e
Opcode Fuzzy Hash: 67411da6f06f8179d249c42831f4fefb195f50cf50f3c1b98a446b5804214d7f
Instruction Fuzzy Hash: FA413070E18A1D8FEB68EF54C8659AEB7B1FF58301F0145F9901DA7296CE346A80CF44

Function 00007FFD9B9D0C83 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9147b8d32343c63beffc2b6649da043f3e2448037da501fa8b4e0d3153fd9e
Instruction ID: f7d8820ce7dbe0567b619647f678897cd40bef2affb06ca4e29fec2b216d0b37
Opcode Fuzzy Hash: de9147b8d32343c63beffc2b6649da043f3e2448037da501fa8b4e0d3153fd9e
Instruction Fuzzy Hash: 7C41EC70D1855E8FDB68EF94C8616ADB7B1FF58300F1085FAD01EA7296CA346A81CF60

Function 00007FFD9B9D386B Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931775943d89b87e78f89015f65f48c35c7ee7c26e80e0baa7db3696bc3d46dc
Instruction ID: 99ba31bd8d62dec2a52e5d29421b3c3bc81b9ae11284590360014c077c7c8729
Opcode Fuzzy Hash: 931775943d89b87e78f89015f65f48c35c7ee7c26e80e0baa7db3696bc3d46dc
Instruction Fuzzy Hash: 63410D70E1911E8FEB68EF64C865AA9B7B1FF48300F0045FAD01EA7291CE746A81CF50

Function 00007FFD9B9D2EB2 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092ed74a7bced5d629a9e54c228472088d606600942d920defc923ae745ae143
Instruction ID: ea59da6d77a595f998ae036c442da06d059eab663317e49ac36391145925f845
Opcode Fuzzy Hash: 092ed74a7bced5d629a9e54c228472088d606600942d920defc923ae745ae143
Instruction Fuzzy Hash: FA410B70E1951D9FDB68EFA8C8656B9B7B1FF58300F1045EBD01EA3291DA346A81CF50

Function 00007FFD9BBB02EE Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2413906645.00007FFD9BBB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbb0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394009c4f1b06dd51333cf4da12e08d2e17bb9c5c66425ff06a0ea7fce78ac4d
Instruction ID: 84814671a5bd683ea7f4f9bb52b9c376e89849ce6c46e998176ab18e3a6082be
Opcode Fuzzy Hash: 394009c4f1b06dd51333cf4da12e08d2e17bb9c5c66425ff06a0ea7fce78ac4d
Instruction Fuzzy Hash: 7B41BE70E4951D8FEB69EF64C865AE9B7B2BF58300F0141E9D01EA7291DE346A81CF44

Function 00007FFD9B9D3208 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411443025.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9d0000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440861cfbe56d6abc0709905ae764fa93d66c1ff07037ec5a01298918bfc17f9
Instruction ID: b99b973d98f524cb42c54cf29fb4bc6ff96f1c702758e08b975ee437780973d2
Opcode Fuzzy Hash: 440861cfbe56d6abc0709905ae764fa93d66c1ff07037ec5a01298918bfc17f9
Instruction Fuzzy Hash: 6331BB70E0851E8FEB68EB54C865AE9B7B1FF58300F0145FAD51EA7295CE746A80CF60

Non-executed Functions

Function 00007FFD9B88B59D Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322a07ed1330b764d95f82cdac911529d5d3895b6ba2c713f63e9dd5daf8832d
Instruction ID: de96e2f463d2665d53be250f7d53166b8f8a709a17e3c956f9d81c046de0408f
Opcode Fuzzy Hash: 322a07ed1330b764d95f82cdac911529d5d3895b6ba2c713f63e9dd5daf8832d
Instruction Fuzzy Hash: 6C224C70A19A8D8FDBB8EF28C865BE937E1FF59301F00416AD85EC72A1DB756640CB41

Function 00007FFD9B886F1E Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409647609.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Aclatis tool.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33313def66772aabb6685d3fe3bf5f441e16e11bd1ba6f9be890988eb1b91f3a
Instruction ID: 647a001b0f254089985c864a37261c2fba8c6e76d17be82f6a6b22ac60a2b642
Opcode Fuzzy Hash: 33313def66772aabb6685d3fe3bf5f441e16e11bd1ba6f9be890988eb1b91f3a
Instruction Fuzzy Hash: 9D81097490CA8D8FDBA8DF68C855BE97BE0FF19310F00416AE85DC7291DB74A585CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Aclatis tool.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aclatis tool.exe_5577159b2c521b9a52d4f5af22dbf0c878524aea_d7fe8305_a59ff790-2bff-4d5a-bd48-1bcc99adcb10\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER661D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B5E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B8E.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Aclatis tool.exe

Function 00007FFD9B89D415 Relevance: 2.0, APIs: 1, Instructions: 513
COMMON

Function 00007FFD9B89D430 Relevance: 2.0, APIs: 1, Instructions: 478
COMMON

Function 00007FFD9B89D4D3 Relevance: 2.0, APIs: 1, Instructions: 457
COMMON

Function 00007FFD9B89B461 Relevance: 1.9, Instructions: 1921
COMMON

Function 00007FFD9B88F38D Relevance: 1.7, APIs: 1, Instructions: 182
nativeCOMMON

Function 00007FFD9B88BD1A Relevance: .7, Instructions: 711
COMMON

Function 00007FFD9B882C35 Relevance: 1.7, APIs: 1, Instructions: 212
memoryCOMMON

Function 00007FFD9B891358 Relevance: 1.7, APIs: 1, Instructions: 174
memoryCOMMON

Function 00007FFD9B882895 Relevance: 1.7, APIs: 1, Instructions: 160
COMMON

Function 00007FFD9B886B21 Relevance: 1.7, APIs: 1, Instructions: 158
COMMON

Function 00007FFD9B8961A1 Relevance: 1.4, APIs: 1, Instructions: 138
COMMON