Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report inmyB8Hxr9.exe

Overview

General Information

Sample Name:inmyB8Hxr9.exe
Analysis ID:358290
MD5:92353a80e0debe2e697f96a6e6bf8623
SHA1:c32c9b86699e7bd40b613b86136ce3101dbc1cfa
SHA256:2617f602bd4c11985c40f6987daa563241cc8deb402fb895952c8a73102caad5
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
.NET source code contains very large strings
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • inmyB8Hxr9.exe (PID: 6176 cmdline: 'C:\Users\user\Desktop\inmyB8Hxr9.exe' MD5: 92353A80E0DEBE2E697F96A6E6BF8623)
    • inmyB8Hxr9.exe (PID: 6456 cmdline: C:\Users\user\Desktop\inmyB8Hxr9.exe MD5: 92353A80E0DEBE2E697F96A6E6BF8623)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "FTP Info": "armyscheme@yandex.combrowse9jasmtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.258344568.0000000003E91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000005.00000002.488867520.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: inmyB8Hxr9.exe PID: 6176JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.inmyB8Hxr9.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.inmyB8Hxr9.exe.2ed2ce4.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                0.2.inmyB8Hxr9.exe.4150c30.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.inmyB8Hxr9.exe.4150c30.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.inmyB8Hxr9.exe.3ff6960.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.inmyB8Hxr9.exe.3ff6960.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "armyscheme@yandex.combrowse9jasmtp.yandex.com"}
                      Source: 5.2.inmyB8Hxr9.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: inmyB8Hxr9.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: inmyB8Hxr9.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: global trafficTCP traffic: 192.168.2.7:49755 -> 77.88.21.158:587
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.7:49755 -> 77.88.21.158:587
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com
                      Source: inmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: inmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: inmyB8Hxr9.exe, 00000005.00000002.499445380.0000000006F36000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmp, inmyB8Hxr9.exe, 00000000.00000003.228876956.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: inmyB8Hxr9.exe, 00000005.00000002.499445380.0000000006F36000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: inmyB8Hxr9.exe, 00000005.00000002.495653968.00000000035D6000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: inmyB8Hxr9.exe, 00000005.00000002.499410701.0000000006F10000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: inmyB8Hxr9.exe, 00000005.00000002.499445380.0000000006F36000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: inmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://tTAnFc.com
                      Source: inmyB8Hxr9.exeString found in binary or memory: http://tempuri.org/NorthWindAzureForInsertsDataSet.xsd
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: inmyB8Hxr9.exe, 00000005.00000002.499445380.0000000006F36000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263525691.0000000006190000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmp, inmyB8Hxr9.exe, 00000000.00000003.239051427.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: inmyB8Hxr9.exe, 00000000.00000003.236276224.00000000061AF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/#
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: inmyB8Hxr9.exe, 00000000.00000003.237383973.00000000061A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlH
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: inmyB8Hxr9.exe, 00000000.00000003.239051427.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: inmyB8Hxr9.exe, 00000000.00000003.239051427.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
                      Source: inmyB8Hxr9.exe, 00000000.00000003.239051427.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitu
                      Source: inmyB8Hxr9.exe, 00000000.00000003.239051427.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmp, inmyB8Hxr9.exe, 00000000.00000003.228342810.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: inmyB8Hxr9.exe, 00000000.00000003.228450601.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com$T
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: inmyB8Hxr9.exe, 00000000.00000003.230314823.0000000006193000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn3
                      Source: inmyB8Hxr9.exe, 00000000.00000003.231091128.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnYaHf
                      Source: inmyB8Hxr9.exe, 00000000.00000003.230938048.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
                      Source: inmyB8Hxr9.exe, 00000000.00000003.230580473.0000000006193000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnft
                      Source: inmyB8Hxr9.exe, 00000000.00000003.230580473.0000000006193000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233894474.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233581560.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233383073.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233698671.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233698671.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233698671.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/icro
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233698671.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233698671.0000000006196000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmp, inmyB8Hxr9.exe, 00000000.00000003.228044355.000000000123D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: inmyB8Hxr9.exe, 00000000.00000003.228044355.000000000123D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com#
                      Source: inmyB8Hxr9.exe, 00000000.00000003.228044355.000000000123D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comR
                      Source: inmyB8Hxr9.exe, 00000000.00000003.228044355.000000000123D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comnog
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233032175.00000000061AB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comL
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233076818.00000000061AB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
                      Source: inmyB8Hxr9.exe, 00000000.00000003.233076818.00000000061AB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com~
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: inmyB8Hxr9.exe, 00000000.00000003.235925261.00000000061AF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: inmyB8Hxr9.exe, 00000000.00000003.235925261.00000000061AF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deE
                      Source: inmyB8Hxr9.exe, 00000000.00000003.235852868.00000000061AF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deoi
                      Source: inmyB8Hxr9.exe, 00000000.00000003.235925261.00000000061AF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deras
                      Source: inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: inmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmp, inmyB8Hxr9.exe, 00000005.00000002.495917462.00000000035F9000.00000004.00000001.sdmpString found in binary or memory: https://MT1MZ9ctOV.com
                      Source: inmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: inmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%or
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: inmyB8Hxr9.exe, 00000000.00000002.258344568.0000000003E91000.00000004.00000001.sdmp, inmyB8Hxr9.exe, 00000005.00000002.488867520.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: inmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257331202.0000000001249000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.inmyB8Hxr9.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b0074D7FFu002d215Bu002d4388u002d8C5Au002d1FA513F02A5Au007d/u00394C5619Au002d1085u002d41FDu002dBD59u002d0EA151ED0C55.csLarge array initialization: .cctor: array initializer size 11950
                      .NET source code contains very large stringsShow sources
                      Source: inmyB8Hxr9.exe, Form1.csLong String: Length: 13656
                      Source: 0.2.inmyB8Hxr9.exe.a70000.0.unpack, Form1.csLong String: Length: 13656
                      Source: 0.0.inmyB8Hxr9.exe.a70000.0.unpack, Form1.csLong String: Length: 13656
                      Source: 5.2.inmyB8Hxr9.exe.f10000.1.unpack, Form1.csLong String: Length: 13656
                      Source: 5.0.inmyB8Hxr9.exe.f10000.0.unpack, Form1.csLong String: Length: 13656
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 0_2_02CCC3A00_2_02CCC3A0
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 0_2_02CCA7580_2_02CCA758
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_016101605_2_01610160
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_016118185_2_01611818
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_0161B3205_2_0161B320
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_01615E485_2_01615E48
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_0161A9B05_2_0161A9B0
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_01616B415_2_01616B41
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_01616C405_2_01616C40
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_031946A05_2_031946A0
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_031935C45_2_031935C4
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_0319DA105_2_0319DA10
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_031946305_2_03194630
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_031946505_2_03194650
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_031945B05_2_031945B0
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_031945F05_2_031945F0
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_031953905_2_03195390
                      Source: inmyB8Hxr9.exe, 00000000.00000002.258007060.0000000002EE6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exe, 00000000.00000002.258344568.0000000003E91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exe, 00000000.00000002.258344568.0000000003E91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVUjAHBxYPFxCVjXHCpyuGgBIgZxcGuTQWnqk.exe4 vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exe, 00000000.00000002.265788985.00000000078C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exe, 00000000.00000002.256763798.0000000000AE6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRemotingException.exe< vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257331202.0000000001249000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exe, 00000005.00000002.489638985.0000000000F86000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRemotingException.exe< vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492131904.000000000166A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exe, 00000005.00000002.489725115.0000000001338000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exe, 00000005.00000002.491090231.0000000001580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exe, 00000005.00000002.488867520.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameVUjAHBxYPFxCVjXHCpyuGgBIgZxcGuTQWnqk.exe4 vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exeBinary or memory string: OriginalFilenameRemotingException.exe< vs inmyB8Hxr9.exe
                      Source: inmyB8Hxr9.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: inmyB8Hxr9.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.2.inmyB8Hxr9.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.inmyB8Hxr9.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: inmyB8Hxr9.exe, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.2.inmyB8Hxr9.exe.a70000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.0.inmyB8Hxr9.exe.a70000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 5.2.inmyB8Hxr9.exe.f10000.1.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 5.0.inmyB8Hxr9.exe.f10000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\inmyB8Hxr9.exe.logJump to behavior
                      Source: inmyB8Hxr9.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: unknownProcess created: C:\Users\user\Desktop\inmyB8Hxr9.exe 'C:\Users\user\Desktop\inmyB8Hxr9.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\inmyB8Hxr9.exe C:\Users\user\Desktop\inmyB8Hxr9.exe
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess created: C:\Users\user\Desktop\inmyB8Hxr9.exe C:\Users\user\Desktop\inmyB8Hxr9.exeJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: inmyB8Hxr9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: inmyB8Hxr9.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: inmyB8Hxr9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                      Data Obfuscation:

                      barindex
                      Binary contains a suspicious time stampShow sources
                      Source: initial sampleStatic PE information: 0x936FA27A [Wed May 20 05:54:02 2048 UTC]
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 0_2_00A77F72 push 00000000h; iretd 0_2_00A77FBC
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeCode function: 5_2_00F17F72 push 00000000h; iretd 5_2_00F17FBC
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.65934034445
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: inmyB8Hxr9.exe PID: 6176, type: MEMORY
                      Source: Yara matchFile source: 0.2.inmyB8Hxr9.exe.2ed2ce4.1.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeWindow / User API: threadDelayed 6192Jump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeWindow / User API: threadDelayed 3568Jump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exe TID: 6180Thread sleep time: -104202s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exe TID: 6204Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exe TID: 6808Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exe TID: 6812Thread sleep count: 6192 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exe TID: 6812Thread sleep count: 3568 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492517121.0000000001744000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: inmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeMemory written: C:\Users\user\Desktop\inmyB8Hxr9.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeProcess created: C:\Users\user\Desktop\inmyB8Hxr9.exe C:\Users\user\Desktop\inmyB8Hxr9.exeJump to behavior
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492904560.0000000001C20000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492904560.0000000001C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492904560.0000000001C20000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: inmyB8Hxr9.exe, 00000005.00000002.492904560.0000000001C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Users\user\Desktop\inmyB8Hxr9.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Users\user\Desktop\inmyB8Hxr9.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.258344568.0000000003E91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.488867520.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: inmyB8Hxr9.exe PID: 6176, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: inmyB8Hxr9.exe PID: 6456, type: MEMORY
                      Source: Yara matchFile source: 5.2.inmyB8Hxr9.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.inmyB8Hxr9.exe.4150c30.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.inmyB8Hxr9.exe.4150c30.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.inmyB8Hxr9.exe.3ff6960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.inmyB8Hxr9.exe.4052780.5.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\inmyB8Hxr9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: inmyB8Hxr9.exe PID: 6456, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.258344568.0000000003E91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.488867520.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: inmyB8Hxr9.exe PID: 6176, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: inmyB8Hxr9.exe PID: 6456, type: MEMORY
                      Source: Yara matchFile source: 5.2.inmyB8Hxr9.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.inmyB8Hxr9.exe.4150c30.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.inmyB8Hxr9.exe.4150c30.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.inmyB8Hxr9.exe.3ff6960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.inmyB8Hxr9.exe.4052780.5.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13Input Capture1Security Software Discovery211Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Virtualization/Sandbox Evasion13SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information21Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.inmyB8Hxr9.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://api.ipify.org%or0%Avira URL Cloudsafe
                      http://subca.ocsp0%Avira URL Cloudsafe
                      http://www.urwpp.deras0%Avira URL Cloudsafe
                      https://MT1MZ9ctOV.com0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.comL0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                      http://www.sajatypeworks.comR0%Avira URL Cloudsafe
                      http://www.urwpp.deoi0%Avira URL Cloudsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fonts.com$T0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cna0%URL Reputationsafe
                      http://www.founder.com.cn/cna0%URL Reputationsafe
                      http://www.founder.com.cn/cna0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.founder.com.cn/cnn-u0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.sajatypeworks.comnog0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/icro0%Avira URL Cloudsafe
                      http://tempuri.org/NorthWindAzureForInsertsDataSet.xsd0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://tTAnFc.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/T0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/p0%Avira URL Cloudsafe
                      http://www.tiro.comlic0%URL Reputationsafe
                      http://www.tiro.comlic0%URL Reputationsafe
                      http://www.tiro.comlic0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/B0%Avira URL Cloudsafe
                      http://www.tiro.com~0%Avira URL Cloudsafe
                      http://www.urwpp.deE0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      smtp.yandex.ru
                      		77.88.21.158
                      		truefalse
                        		high
                        smtp.yandex.com
                        		unknown
                        		unknownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1inmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.com/designersGinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://api.ipify.org%orinmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://subca.ocspinmyB8Hxr9.exe, 00000005.00000002.499410701.0000000006F10000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                		high
                                http://yandex.crl.certum.pl/ycasha2.crl0qinmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpfalse
                                  		high
                                  http://www.urwpp.derasinmyB8Hxr9.exe, 00000000.00000003.235925261.00000000061AF000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://MT1MZ9ctOV.cominmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmp, inmyB8Hxr9.exe, 00000005.00000002.495917462.00000000035F9000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tiro.cominmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.tiro.comLinmyB8Hxr9.exe, 00000000.00000003.233032175.00000000061AB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmp, inmyB8Hxr9.exe, 00000000.00000003.239051427.0000000006196000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssinmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sajatypeworks.cominmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmp, inmyB8Hxr9.exe, 00000000.00000003.228044355.000000000123D000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://subca.ocsp-certum.com0.inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/9inmyB8Hxr9.exe, 00000000.00000003.233383073.0000000006196000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://repository.certum.pl/ca.cer09inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htminmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.cominmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmp, inmyB8Hxr9.exe, 00000000.00000003.228876956.00000000061CD000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlHinmyB8Hxr9.exe, 00000000.00000003.237383973.00000000061A2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/8inmyB8Hxr9.exe, 00000000.00000003.233581560.0000000006196000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comRinmyB8Hxr9.exe, 00000000.00000003.228044355.000000000123D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deoiinmyB8Hxr9.exe, 00000000.00000003.235852868.00000000061AF000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://subca.ocsp-certum.com01inmyB8Hxr9.exe, 00000005.00000002.499445380.0000000006F36000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fonts.com$TinmyB8Hxr9.exe, 00000000.00000003.228450601.00000000061CD000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.founder.com.cn/cnainmyB8Hxr9.exe, 00000000.00000003.230938048.00000000061A1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.org%GETMozilla/5.0inmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		low
                                          http://www.founder.com.cn/cnn-uinmyB8Hxr9.exe, 00000000.00000003.230580473.0000000006193000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fonts.cominmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmp, inmyB8Hxr9.exe, 00000000.00000003.228342810.00000000061CD000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deinmyB8Hxr9.exe, 00000000.00000003.235925261.00000000061AF000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cninmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameinmyB8Hxr9.exe, 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/#inmyB8Hxr9.exe, 00000000.00000003.236276224.00000000061AF000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sakkal.cominmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipinmyB8Hxr9.exe, 00000000.00000002.258344568.0000000003E91000.00000004.00000001.sdmp, inmyB8Hxr9.exe, 00000005.00000002.488867520.0000000000402000.00000040.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.certum.pl/CPS0inmyB8Hxr9.exe, 00000005.00000002.499445380.0000000006F36000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sajatypeworks.comnoginmyB8Hxr9.exe, 00000000.00000003.228044355.000000000123D000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/icroinmyB8Hxr9.exe, 00000000.00000003.233698671.0000000006196000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://tempuri.org/NorthWindAzureForInsertsDataSet.xsdinmyB8Hxr9.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://repository.certum.pl/ycasha2.cer0inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpfalse
                                                    		high
                                                    http://www.apache.org/licenses/LICENSE-2.0inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.cominmyB8Hxr9.exe, 00000000.00000002.263525691.0000000006190000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://DynDns.comDynDNSinmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://tTAnFc.cominmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.comFinmyB8Hxr9.exe, 00000000.00000003.239051427.0000000006196000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://repository.certum.pl/ctnca.cer09inmyB8Hxr9.exe, 00000005.00000002.499445380.0000000006F36000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/TinmyB8Hxr9.exe, 00000000.00000003.233698671.0000000006196000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hainmyB8Hxr9.exe, 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://crl.certum.pl/ctnca.crl0kinmyB8Hxr9.exe, 00000005.00000002.499445380.0000000006F36000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/jp/pinmyB8Hxr9.exe, 00000000.00000003.233698671.0000000006196000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.tiro.comlicinmyB8Hxr9.exe, 00000000.00000003.233076818.00000000061AB000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.certum.pl/CPS0inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/jp/inmyB8Hxr9.exe, 00000000.00000003.233698671.0000000006196000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/BinmyB8Hxr9.exe, 00000000.00000003.233698671.0000000006196000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://smtp.yandex.cominmyB8Hxr9.exe, 00000005.00000002.495653968.00000000035D6000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.tiro.com~inmyB8Hxr9.exe, 00000000.00000003.233076818.00000000061AB000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		low
                                                                http://www.urwpp.deEinmyB8Hxr9.exe, 00000000.00000003.235925261.00000000061AF000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.carterandcone.comlinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://yandex.ocsp-responder.com03inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cninmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlinmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://crls.yandex.net/certum/ycasha2.crl0-inmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn3inmyB8Hxr9.exe, 00000000.00000003.230314823.0000000006193000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.jiyu-kobo.co.jp/inmyB8Hxr9.exe, 00000000.00000003.233894474.0000000006196000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.founder.com.cn/cnftinmyB8Hxr9.exe, 00000000.00000003.230580473.0000000006193000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.comoinmyB8Hxr9.exe, 00000000.00000003.239051427.0000000006196000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers8inmyB8Hxr9.exe, 00000000.00000002.263693385.0000000006280000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.fontbureau.comituinmyB8Hxr9.exe, 00000000.00000003.239051427.0000000006196000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.fontbureau.comalsinmyB8Hxr9.exe, 00000000.00000003.239051427.0000000006196000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://crl.certum.pl/ca.crl0hinmyB8Hxr9.exe, 00000005.00000002.492268429.0000000001693000.00000004.00000020.sdmpfalse
                                                                          		high
                                                                          http://www.sajatypeworks.com#inmyB8Hxr9.exe, 00000000.00000003.228044355.000000000123D000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.founder.com.cn/cnYaHfinmyB8Hxr9.exe, 00000000.00000003.231091128.00000000061A1000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown

                                                                          Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          77.88.21.158
                                                                          		unknownRussian Federation
                                                                          		13238YANDEXRUfalse

                                                                          General Information

                                                                          Joe Sandbox Version:31.0.0 Emerald
                                                                          Analysis ID:358290
                                                                          Start date:25.02.2021
                                                                          Start time:11:41:54
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 9m 2s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Sample file name:inmyB8Hxr9.exe
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                          Number of analysed new started processes analysed:30
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.spyw.evad.winEXE@3/2@2/1
                                                                          EGA Information:Failed
                                                                          HDC Information:
                                                                          • Successful, ratio: 0.1% (good quality ratio 0%)
                                                                          • Quality average: 17.5%
                                                                          • Quality standard deviation: 32.4%
                                                                          HCA Information:
                                                                          • Successful, ratio: 100%
                                                                          • Number of executed functions: 34
                                                                          • Number of non-executed functions: 2
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .exe
                                                                          Warnings:
                                                                          Show All
                                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                          • Excluded IPs from analysis (whitelisted): 51.104.139.180, 204.79.197.200, 13.107.21.200, 104.42.151.234, 23.211.6.115, 184.30.20.56, 52.255.188.83, 51.11.168.160, 52.147.198.201, 92.122.213.194, 92.122.213.247, 67.26.73.254, 8.248.143.254, 8.253.95.249, 8.253.95.120, 67.26.83.254, 51.103.5.186, 52.155.217.156, 20.54.26.129
                                                                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          11:42:55API Interceptor714x Sleep call for process: inmyB8Hxr9.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          77.88.21.158HTTPS_update_02_2021.exeGet hashmaliciousBrowse
                                                                            HTTPS_update_02_2021.exeGet hashmaliciousBrowse
                                                                              KBU0o30E6s.exeGet hashmaliciousBrowse
                                                                                FspMzSMtYA.exeGet hashmaliciousBrowse
                                                                                  w0dAcJpIm1.exeGet hashmaliciousBrowse
                                                                                    VfUlDo471c.exeGet hashmaliciousBrowse
                                                                                      FEB PROCESSED.xlsxGet hashmaliciousBrowse
                                                                                        q13a8EbUPB.exeGet hashmaliciousBrowse
                                                                                          SecuriteInfo.com.Trojan.GenericKDZ.73120.3552.exeGet hashmaliciousBrowse
                                                                                            PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeGet hashmaliciousBrowse
                                                                                              pass.exeGet hashmaliciousBrowse
                                                                                                nXKdiUgIYy.exeGet hashmaliciousBrowse
                                                                                                  x4cXV3784J.exeGet hashmaliciousBrowse
                                                                                                    Request For Quotation #D22022021_pdf.exeGet hashmaliciousBrowse
                                                                                                      RFQ_PDRVK2200248_00667_PDF.exeGet hashmaliciousBrowse
                                                                                                        emI0MqOvFw.exeGet hashmaliciousBrowse
                                                                                                          ZnsXrCAriL.exeGet hashmaliciousBrowse
                                                                                                            zyp9gbDQHw.exeGet hashmaliciousBrowse
                                                                                                              DHL Shipment Notification.PDF.exeGet hashmaliciousBrowse
                                                                                                                MI3eskSuv2.exeGet hashmaliciousBrowse

                                                                                                                  Domains

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                  smtp.yandex.ruHTTPS_update_02_2021.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  HTTPS_update_02_2021.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  KBU0o30E6s.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  FspMzSMtYA.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  w0dAcJpIm1.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  VfUlDo471c.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  FEB PROCESSED.xlsxGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  q13a8EbUPB.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  SecuriteInfo.com.Trojan.GenericKDZ.73120.3552.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  pass.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  nXKdiUgIYy.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  x4cXV3784J.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  Request For Quotation #D22022021_pdf.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  RFQ_PDRVK2200248_00667_PDF.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  emI0MqOvFw.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  ZnsXrCAriL.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  zyp9gbDQHw.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  DHL Shipment Notification.PDF.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  MI3eskSuv2.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158

                                                                                                                  ASN

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                  YANDEXRUrtofwqxq.exeGet hashmaliciousBrowse
                                                                                                                  • 87.250.250.22
                                                                                                                  HTTPS_update_02_2021.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  HTTPS_update_02_2021.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  KBU0o30E6s.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  FspMzSMtYA.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  Wd8LBdddKD.exeGet hashmaliciousBrowse
                                                                                                                  • 37.9.96.19
                                                                                                                  Wd8LBdddKD.exeGet hashmaliciousBrowse
                                                                                                                  • 37.9.96.14
                                                                                                                  w0dAcJpIm1.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  VfUlDo471c.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  FEB PROCESSED.xlsxGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  q13a8EbUPB.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  SecuriteInfo.com.Trojan.GenericKDZ.73120.3552.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  PO Contract -SCPL0882021 & sales contract ZD.1.19022021_PDF.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  pass.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  nXKdiUgIYy.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  x4cXV3784J.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  Request For Quotation #D22022021_pdf.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  RFQ_PDRVK2200248_00667_PDF.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  emI0MqOvFw.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158
                                                                                                                  ZnsXrCAriL.exeGet hashmaliciousBrowse
                                                                                                                  • 77.88.21.158

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\inmyB8Hxr9.exe.log
                                                                                                                  Process:C:\Users\user\Desktop\inmyB8Hxr9.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1594
                                                                                                                  Entropy (8bit):5.336334182031907
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHsAmHK2HKSHKKHKs:lrq5qXEwCYqhQnoPtIxHeqzNM/q2qSqY
                                                                                                                  MD5:B9E8D9BC061D6715808BB3A28CECBA2B
                                                                                                                  SHA1:6F18CD63C12AEC962D089F215658FD5BE1789BC3
                                                                                                                  SHA-256:716E082F23E093EBCA2C8F994745CC7D62457D7359BBE555B75E275CE8EEEDC7
                                                                                                                  SHA-512:6D97D3E34CBCC5C0CCF845E285F98DE1824A825AB1D306D20ED164B0B74270CED9AB694E40831EC796E9F823BB4E369166006E555D7BBD000A33A0FDA601F806
                                                                                                                  Malicious:false
                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                                  C:\Users\user\AppData\Roaming\bmtbedok.fh2\Chrome\Default\Cookies
                                                                                                                  Process:C:\Users\user\Desktop\inmyB8Hxr9.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):0.6969296358976265
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBo2+tYeF+X:T5LLOpEO5J/Kn7U1uBo2UYeQ
                                                                                                                  MD5:A9DBC7B8E523ABE3B02D77DBF2FCD645
                                                                                                                  SHA1:DF5EE16ECF4B3B02E312F935AE81D4C5D2E91CA8
                                                                                                                  SHA-256:39B4E45A062DEA6F541C18FA1A15C5C0DB43A59673A26E2EB5B8A4345EE767AE
                                                                                                                  SHA-512:3CF87455263E395313E779D4F440D8405D86244E04B5F577BB9FA2F4A2069DE019D340F6B2F6EF420DEE3D3DEEFD4B58DA3FCA3BB802DE348E1A810D6379CC3B
                                                                                                                  Malicious:false
                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                  Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Entropy (8bit):7.646038972317263
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                  File name:inmyB8Hxr9.exe
                                                                                                                  File size:471552
                                                                                                                  MD5:92353a80e0debe2e697f96a6e6bf8623
                                                                                                                  SHA1:c32c9b86699e7bd40b613b86136ce3101dbc1cfa
                                                                                                                  SHA256:2617f602bd4c11985c40f6987daa563241cc8deb402fb895952c8a73102caad5
                                                                                                                  SHA512:a6e941ce3b38c31a6b708b75d2645daa2b70c0404402ca99562b609c217f505864e9e1148f38ca26ef755c8ce3aa4e5ea05801c88c1a144cfda767935e0a9758
                                                                                                                  SSDEEP:6144:tWAyFAvZUtFPysCWk9BMWnb4cVeZZjaNsUQZQ5r0Kw1tdgls/CVIgcw:t9vaFDCWinZYDaNPyqcmgCVI
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.o...............P..(..........bF... ...`....@.. ....................................@................................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x474662
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                  Time Stamp:0x936FA27A [Wed May 20 05:54:02 2048 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x746100x4f.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x5ec.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x745f40x1c.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x20000x726680x72800False0.828368074509data7.65934034445IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x760000x5ec0x600False0.434895833333data4.2233743472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x780000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                  RT_VERSION0x760900x35cdata
                                                                                                                  RT_MANIFEST0x763fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                  Version Infos

                                                                                                                  DescriptionData
                                                                                                                  Translation0x0000 0x04b0
                                                                                                                  LegalCopyrightCopyright 2020 - 2021
                                                                                                                  Assembly Version6.4.0.2
                                                                                                                  InternalNameRemotingException.exe
                                                                                                                  FileVersion6.4.0.2
                                                                                                                  CompanyName
                                                                                                                  LegalTrademarks
                                                                                                                  Comments
                                                                                                                  ProductNameTable Adapter
                                                                                                                  ProductVersion6.4.0.2
                                                                                                                  FileDescriptionTable Adapter
                                                                                                                  OriginalFilenameRemotingException.exe

                                                                                                                  Network Behavior

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Feb 25, 2021 11:44:34.046395063 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:34.125173092 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.127857924 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:34.350579977 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.351052999 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:34.429783106 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.429825068 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.430308104 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:34.508950949 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.562391996 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:34.563309908 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:34.642993927 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.643043995 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.643062115 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.643075943 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.643291950 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:34.684010983 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:34.763072014 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.812367916 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:34.850516081 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:34.929224014 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:34.932694912 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:35.011464119 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:35.015842915 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:35.107203007 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:35.108191967 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:35.194267035 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:35.194888115 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:35.278779030 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:35.279474020 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:35.358289957 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:35.362770081 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:35.362977028 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:35.363086939 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:35.363194942 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:35.441519976 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:35.441700935 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:35.933480978 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:35.984292030 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.262196064 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.341094971 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.341125965 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.341344118 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.358294010 CET49755587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.359647989 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.436418056 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.436630964 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.436882973 CET5874975577.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.672813892 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.673166990 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.749855042 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.749901056 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.750427008 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.827478886 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.828208923 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.906649113 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.906694889 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.906724930 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.906744003 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.907273054 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.911943913 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:37.989012957 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:37.991524935 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.068325996 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.069495916 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.146559954 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.147315979 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.264954090 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.431253910 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.431829929 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.508644104 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.516283989 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.516767025 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.596788883 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.597311974 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.678741932 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.681421041 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.681723118 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.681936979 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.682125092 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.682379007 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.682642937 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.682818890 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.682925940 CET49756587192.168.2.777.88.21.158
                                                                                                                  Feb 25, 2021 11:44:38.759532928 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.759665966 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.759701014 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.759718895 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:38.800888062 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:39.391064882 CET5874975677.88.21.158192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:39.437783957 CET49756587192.168.2.777.88.21.158

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Feb 25, 2021 11:42:32.427639008 CET5659053192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:32.468344927 CET6050153192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:32.476778030 CET53565908.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:42:32.519934893 CET53605018.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:42:33.195080042 CET5377553192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:33.253907919 CET53537758.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:42:34.428811073 CET5183753192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:34.480299950 CET53518378.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:42:35.619589090 CET5541153192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:35.671304941 CET53554118.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:42:36.585953951 CET6366853192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:36.644691944 CET53636688.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:42:36.846215010 CET5464053192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:36.899503946 CET53546408.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:42:38.043723106 CET5873953192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:38.094341993 CET53587398.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:42:39.541865110 CET6033853192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:39.590574980 CET53603388.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:42:41.001439095 CET5871753192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:41.061307907 CET53587178.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:42:42.243355989 CET5976253192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:42:42.291981936 CET53597628.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:01.412602901 CET5432953192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:01.471852064 CET53543298.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:16.114504099 CET5805253192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:16.163260937 CET53580528.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:17.442075014 CET5400853192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:17.471110106 CET5945153192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:17.499337912 CET53540088.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:17.519926071 CET53594518.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:18.251144886 CET5291453192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:18.303877115 CET53529148.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:19.420806885 CET6456953192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:19.471337080 CET53645698.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:20.257886887 CET5281653192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:20.312728882 CET53528168.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:21.417933941 CET5078153192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:21.468277931 CET53507818.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:22.592530012 CET5423053192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:22.641251087 CET53542308.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:23.429610968 CET5491153192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:23.478418112 CET53549118.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:24.269021988 CET4995853192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:24.317871094 CET53499588.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:24.842926979 CET5086053192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:24.904547930 CET53508608.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:25.099401951 CET5045253192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:25.148288012 CET53504528.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:26.331104040 CET5973053192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:26.388473034 CET53597308.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:27.255508900 CET5931053192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:27.310013056 CET53593108.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:27.970890045 CET5191953192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:28.019889116 CET53519198.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:28.124042034 CET6429653192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:28.172827959 CET53642968.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:28.202331066 CET5668053192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:28.251082897 CET53566808.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:29.264763117 CET5882053192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:29.313488007 CET53588208.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:35.879561901 CET6098353192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:35.938563108 CET53609838.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:45.902324915 CET4924753192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:45.959479094 CET53492478.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:46.589550018 CET5228653192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:46.653069019 CET53522868.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:47.336214066 CET5606453192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:47.394696951 CET53560648.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:47.898294926 CET6374453192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:47.960324049 CET53637448.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:48.491719961 CET6145753192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:48.551793098 CET53614578.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:48.572540045 CET5836753192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:48.644999027 CET53583678.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:49.100601912 CET6059953192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:49.160178900 CET53605998.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:49.368459940 CET5957153192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:49.863250017 CET5268953192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:49.923577070 CET53526898.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:50.374083996 CET5957153192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:50.434259892 CET53595718.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:51.513500929 CET5029053192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:51.575829029 CET53502908.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:52.486165047 CET6042753192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:52.545607090 CET53604278.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:43:53.005680084 CET5620953192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:43:53.066025972 CET53562098.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:11.447969913 CET5958253192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:44:11.522476912 CET53595828.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:14.721700907 CET6094953192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:44:14.770591021 CET53609498.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:32.821062088 CET5854253192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:44:32.872997999 CET53585428.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:33.821827888 CET5917953192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:44:33.881989956 CET53591798.8.8.8192.168.2.7
                                                                                                                  Feb 25, 2021 11:44:33.966233015 CET6092753192.168.2.78.8.8.8
                                                                                                                  Feb 25, 2021 11:44:34.023236990 CET53609278.8.8.8192.168.2.7

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                  Feb 25, 2021 11:44:33.821827888 CET192.168.2.78.8.8.80xb513Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                                                                  Feb 25, 2021 11:44:33.966233015 CET192.168.2.78.8.8.80xc334Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                  Feb 25, 2021 11:44:33.881989956 CET8.8.8.8192.168.2.70xb513No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                                  Feb 25, 2021 11:44:33.881989956 CET8.8.8.8192.168.2.70xb513No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                                                                  Feb 25, 2021 11:44:34.023236990 CET8.8.8.8192.168.2.70xc334No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                                  Feb 25, 2021 11:44:34.023236990 CET8.8.8.8192.168.2.70xc334No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                                                                  SMTP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                  Feb 25, 2021 11:44:34.350579977 CET5874975577.88.21.158192.168.2.7220 vla3-3dd1bd6927b2.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
                                                                                                                  Feb 25, 2021 11:44:34.351052999 CET49755587192.168.2.777.88.21.158EHLO 609290
                                                                                                                  Feb 25, 2021 11:44:34.429825068 CET5874975577.88.21.158192.168.2.7250-vla3-3dd1bd6927b2.qloud-c.yandex.net
                                                                                                                  250-8BITMIME
                                                                                                                  250-PIPELINING
                                                                                                                  250-SIZE 42991616
                                                                                                                  250-STARTTLS
                                                                                                                  250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                                  250-DSN
                                                                                                                  250 ENHANCEDSTATUSCODES
                                                                                                                  Feb 25, 2021 11:44:34.430308104 CET49755587192.168.2.777.88.21.158STARTTLS
                                                                                                                  Feb 25, 2021 11:44:34.508950949 CET5874975577.88.21.158192.168.2.7220 Go ahead
                                                                                                                  Feb 25, 2021 11:44:37.672813892 CET5874975677.88.21.158192.168.2.7220 iva6-2d18925256a6.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
                                                                                                                  Feb 25, 2021 11:44:37.673166990 CET49756587192.168.2.777.88.21.158EHLO 609290
                                                                                                                  Feb 25, 2021 11:44:37.749901056 CET5874975677.88.21.158192.168.2.7250-iva6-2d18925256a6.qloud-c.yandex.net
                                                                                                                  250-8BITMIME
                                                                                                                  250-PIPELINING
                                                                                                                  250-SIZE 42991616
                                                                                                                  250-STARTTLS
                                                                                                                  250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                                  250-DSN
                                                                                                                  250 ENHANCEDSTATUSCODES
                                                                                                                  Feb 25, 2021 11:44:37.750427008 CET49756587192.168.2.777.88.21.158STARTTLS
                                                                                                                  Feb 25, 2021 11:44:37.827478886 CET5874975677.88.21.158192.168.2.7220 Go ahead

                                                                                                                  Code Manipulations

                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  Analysis Process: inmyB8Hxr9.exe PID: 6176 Parent PID: 5664

                                                                                                                  General

                                                                                                                  Start time:11:42:42
                                                                                                                  Start date:25/02/2021
                                                                                                                  Path:C:\Users\user\Desktop\inmyB8Hxr9.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\Desktop\inmyB8Hxr9.exe'
                                                                                                                  Imagebase:0xa70000
                                                                                                                  File size:471552 bytes
                                                                                                                  MD5 hash:92353A80E0DEBE2E697F96A6E6BF8623
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.258344568.0000000003E91000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.257896287.0000000002E91000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  Reputation:low

                                                                                                                  Chronological Activities

                                                                                                                  Analysis Process: inmyB8Hxr9.exe PID: 6456 Parent PID: 6176

                                                                                                                  General

                                                                                                                  Start time:11:42:56
                                                                                                                  Start date:25/02/2021
                                                                                                                  Path:C:\Users\user\Desktop\inmyB8Hxr9.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Users\user\Desktop\inmyB8Hxr9.exe
                                                                                                                  Imagebase:0xf10000
                                                                                                                  File size:471552 bytes
                                                                                                                  MD5 hash:92353A80E0DEBE2E697F96A6E6BF8623
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.488867520.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.493510413.0000000003321000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  Reputation:low

                                                                                                                  Chronological Activities

                                                                                                                  Disassembly

                                                                                                                  Code Analysis

                                                                                                                  Reset < >

                                                                                                                    Analysis Process: inmyB8Hxr9.exe PID: 6176 Parent PID: 5664 inmyB8Hxr9.exeCOMMON

                                                                                                                    Executed Functions

                                                                                                                    Function 02CCBA50, Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02CCBCA6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4139908857-0
                                                                                                                    • Opcode ID: bfd9a1fb431bafafade010fab7b73669eff3931b9ba7482c76bc4c4b4691f34c
                                                                                                                    • Instruction ID: 28d688cbea32ea55c2ea9b878319e559a1b25ad9ba80423dee25625fb5e7610e
                                                                                                                    • Opcode Fuzzy Hash: bfd9a1fb431bafafade010fab7b73669eff3931b9ba7482c76bc4c4b4691f34c
                                                                                                                    • Instruction Fuzzy Hash: 6C712470A00B098FD724DF6AC45679AB7F1FF88208F10892DD58AD7A40DB75E905CF91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CCAAD4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02CCE02A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 716092398-0
                                                                                                                    • Opcode ID: 196a9f102de78dba0ee3c2ef032c293bf0fe7a11577e1e2cf4462ee8c877a5f6
                                                                                                                    • Instruction ID: 6f6a112da1f0192cb325c92e46cfd1972d708562f7ca3a57bf11fd9cb70053a5
                                                                                                                    • Opcode Fuzzy Hash: 196a9f102de78dba0ee3c2ef032c293bf0fe7a11577e1e2cf4462ee8c877a5f6
                                                                                                                    • Instruction Fuzzy Hash: 1851AFB1D00309DFDB14CF9AC984ADEBBB5BF89314F64812AE819AB210D7759945CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CCDF0D, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02CCE02A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 716092398-0
                                                                                                                    • Opcode ID: 9b8bf2f2fcf2cb2bb4c5f81406f0f3ed1d23a0d85b378b182af8feaba88a1b4e
                                                                                                                    • Instruction ID: 37c91a5e7e861eca970f4a058156c693e1b9dbcabf43b6afbd355d9b59c7c60e
                                                                                                                    • Opcode Fuzzy Hash: 9b8bf2f2fcf2cb2bb4c5f81406f0f3ed1d23a0d85b378b182af8feaba88a1b4e
                                                                                                                    • Instruction Fuzzy Hash: C651E0B1D00318DFDB14CF9AC884ADEBBB5BF88314F64812AE819AB210D7759985CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CC7009, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CC7107
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3793708945-0
                                                                                                                    • Opcode ID: 5c6d27102e69b8e9daa711d7361be3231cb7d58da0f603046c82e3a71d7352c3
                                                                                                                    • Instruction ID: 145cf708dac0c64eef788615ef7f2f2feee698e68f13aa46b5214d27d1ebe81e
                                                                                                                    • Opcode Fuzzy Hash: 5c6d27102e69b8e9daa711d7361be3231cb7d58da0f603046c82e3a71d7352c3
                                                                                                                    • Instruction Fuzzy Hash: BF414876900258AFCB01CF99D884ADEBFF9FF89310F14806AE954A7350D375A914DFA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CC7078, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CC7107
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3793708945-0
                                                                                                                    • Opcode ID: 5a09a389edb2b6b040e8611fcfd1dd00caa4a4e68a540d00e4d97c2bd707b9dc
                                                                                                                    • Instruction ID: cf50b6fd9e5f1c7775ee441a90399bddb2bbf6fe880fa4a8ba3a93b51f666349
                                                                                                                    • Opcode Fuzzy Hash: 5a09a389edb2b6b040e8611fcfd1dd00caa4a4e68a540d00e4d97c2bd707b9dc
                                                                                                                    • Instruction Fuzzy Hash: 1721E3B59002189FDB10CF9AD985ADEFBF8FF48324F14841AE958A7310D374A954CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CC7080, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CC7107
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3793708945-0
                                                                                                                    • Opcode ID: dbc2abd3e5ad1c2dcd91f58a41699d361f648157096e0837e013e91b824cae36
                                                                                                                    • Instruction ID: 9fcd3b7dd3dddc37e78658d2a8ed4eb3d7d7433520f32d1c89f371e51c57b042
                                                                                                                    • Opcode Fuzzy Hash: dbc2abd3e5ad1c2dcd91f58a41699d361f648157096e0837e013e91b824cae36
                                                                                                                    • Instruction Fuzzy Hash: 1C21E4B59002089FDB10CF99D984ADEFBF8FB48324F14841AE958A7310D374A954CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CCA998, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02CCBD21,00000800,00000000,00000000), ref: 02CCBF32
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1029625771-0
                                                                                                                    • Opcode ID: 2153544bb22e9a29ced37242ed3bbd683bdb25be723a4d4167fc21843156aa7b
                                                                                                                    • Instruction ID: 8cefb8ae44e49b430bb4e5d638fd374ba45bd5cf520ab8885c8c8bd9031435b9
                                                                                                                    • Opcode Fuzzy Hash: 2153544bb22e9a29ced37242ed3bbd683bdb25be723a4d4167fc21843156aa7b
                                                                                                                    • Instruction Fuzzy Hash: CB1103B6D042488FDB10CF9AD444ADFFBF4EB88318F10842EE559A7600C375A945CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CCBEC0, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02CCBD21,00000800,00000000,00000000), ref: 02CCBF32
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1029625771-0
                                                                                                                    • Opcode ID: 0a49afa68c3635a8131ef3196fe97ee84363b032932e547e47356e1130fab48a
                                                                                                                    • Instruction ID: 15e6ea5970a1eb84c45f3a546d422d98d96afbe4eb7659b74a50423882142b00
                                                                                                                    • Opcode Fuzzy Hash: 0a49afa68c3635a8131ef3196fe97ee84363b032932e547e47356e1130fab48a
                                                                                                                    • Instruction Fuzzy Hash: 5F1100B6D042098FDB10CF99C588ADEFBF4AF88318F14852AE559A7600C375A945CFA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CCBC40, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02CCBCA6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4139908857-0
                                                                                                                    • Opcode ID: 72516e63f0b7c8e6a70a9395e687e52657c9f05667df779585be1d8da6383256
                                                                                                                    • Instruction ID: b70b73352b0a798cb74f140793bf691fc1a04d098bf441fdefb4b95db3ae53bb
                                                                                                                    • Opcode Fuzzy Hash: 72516e63f0b7c8e6a70a9395e687e52657c9f05667df779585be1d8da6383256
                                                                                                                    • Instruction Fuzzy Hash: A31113B1D006498FCB10CF9AC444BDFFBF4AF88228F10842AD869B7600D375A946CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CCE159, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowLongW.USER32(?,?,?), ref: 02CCE1BD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1378638983-0
                                                                                                                    • Opcode ID: 3f0cb44a643db303921f4003c9c6f3b3f3e6604462a6a1c5521d6597ab2a3389
                                                                                                                    • Instruction ID: 6791d5233a31a38574f4c881906f4f8829e007c7dde3d7dff545c8323b309059
                                                                                                                    • Opcode Fuzzy Hash: 3f0cb44a643db303921f4003c9c6f3b3f3e6604462a6a1c5521d6597ab2a3389
                                                                                                                    • Instruction Fuzzy Hash: EE1125B19002089FDB10CF99D888BDFBBF8EB48324F108419D958B3700C374A944CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CCE160, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowLongW.USER32(?,?,?), ref: 02CCE1BD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: LongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1378638983-0
                                                                                                                    • Opcode ID: f0b6b45526e1641e230cbbdbcc6a43cae96c5c4a9bc87c8430dc9c781127bd41
                                                                                                                    • Instruction ID: c034ee3cf083c292d4bb5d07d5511dd05beb708f21006c7d7d1f47066ac6f3ee
                                                                                                                    • Opcode Fuzzy Hash: f0b6b45526e1641e230cbbdbcc6a43cae96c5c4a9bc87c8430dc9c781127bd41
                                                                                                                    • Instruction Fuzzy Hash: 5D1103B59002488FDB10CF99D989BDFBBF8EB48324F10845AD958A7740C374A944CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0105D4D8, Relevance: .1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257080324.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 68c2bd19aabb012ea39bfd8a2bcd58602986b45f8f9fa9cfbf35dbeeb60848c8
                                                                                                                    • Instruction ID: 5aecb35a0338cf935c88a7bd288060685ae8e3ad9911ce35b6f952f6c163d9a6
                                                                                                                    • Opcode Fuzzy Hash: 68c2bd19aabb012ea39bfd8a2bcd58602986b45f8f9fa9cfbf35dbeeb60848c8
                                                                                                                    • Instruction Fuzzy Hash: 922106B1504204DFDB45CF54D9C0B27BBA5FB8832CF2485AAED454B206C336D855CBA2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0105D4D3, Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257080324.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c9bac84a7fc1bbf5596c0c9cdfbfd886d18a72d0d2145727707f58b7b4c0f4b6
                                                                                                                    • Instruction ID: e22e22c103b3502ec8377501390657205fbcf37f4db281919337285bc08104f2
                                                                                                                    • Opcode Fuzzy Hash: c9bac84a7fc1bbf5596c0c9cdfbfd886d18a72d0d2145727707f58b7b4c0f4b6
                                                                                                                    • Instruction Fuzzy Hash: F311D376404280CFDB56CF54D5C4B16BFB1FB88328F2486AADC450B657C33AD45ACBA2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0105D75D, Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257080324.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f7ac1303d62e79cc9eb4c68ff57c5c997352f24663dd6a48bc2c6fa9f717cee3
                                                                                                                    • Instruction ID: b8e76b1257865c425257b8f9975f2a8489933be490d46b00cd37da79b15b7677
                                                                                                                    • Opcode Fuzzy Hash: f7ac1303d62e79cc9eb4c68ff57c5c997352f24663dd6a48bc2c6fa9f717cee3
                                                                                                                    • Instruction Fuzzy Hash: 5B01A77140C3C89AE7904A59CC85B67FFD8FF41664F18C49BEE845B646E3789844C7B1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0105D5F3, Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257080324.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d3939b566b190cc017b4a6696bb70bf84cf374be9f1b84ada42c476042f8f86b
                                                                                                                    • Instruction ID: 1488e206fbec5a5caf04ea198035fd0efc0612aa8f28de3c5fceee6d6244e4a4
                                                                                                                    • Opcode Fuzzy Hash: d3939b566b190cc017b4a6696bb70bf84cf374be9f1b84ada42c476042f8f86b
                                                                                                                    • Instruction Fuzzy Hash: B8F04976200604AF93608F0AC884C27FBADFBD4670359C49AE84A4B612C631EC42CFB0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0105D75C, Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257080324.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f07386b1bd27cda94062d9d3e391c062a582b4031f11f34a32b85b8a38b13dac
                                                                                                                    • Instruction ID: 600e086b19e359f5e2912a3453c7b9d5d6fd200e185c73d9251441add50c7155
                                                                                                                    • Opcode Fuzzy Hash: f07386b1bd27cda94062d9d3e391c062a582b4031f11f34a32b85b8a38b13dac
                                                                                                                    • Instruction Fuzzy Hash: 52F062714082889EEB518A19CCC5B63FFE8EF41674F18C49AED885B296D3799844CBB1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0105D5E4, Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257080324.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7e6daf409008d794058863f8aa6fae65205f2db6d5defcaf20e6d726119e901b
                                                                                                                    • Instruction ID: 5fc765e69fee0adbb1225e643a83bd88d496183f1fde13dba5ffd3d6a157cffd
                                                                                                                    • Opcode Fuzzy Hash: 7e6daf409008d794058863f8aa6fae65205f2db6d5defcaf20e6d726119e901b
                                                                                                                    • Instruction Fuzzy Hash: CCF04F75104640AFD355CF06C984C23BFB9FB897607198489E8895B712C630FC42CF70
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions

                                                                                                                    Function 02CCA758, Relevance: .3, Instructions: 265COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 86d06f50573e6555a568e03d552c1033e2fd128e466aca08b54ba0ab6bf336e0
                                                                                                                    • Instruction ID: 4707c8bdf4ed842aa3799bf0cfd894f91fa23761bb3a7cfcffd6c85e2105066a
                                                                                                                    • Opcode Fuzzy Hash: 86d06f50573e6555a568e03d552c1033e2fd128e466aca08b54ba0ab6bf336e0
                                                                                                                    • Instruction Fuzzy Hash: 60A17F32E0061ACFCF05DFA5D8445DEBBB2FF85304B25856AE905AB225EB35AD15CF80
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02CCC3A0, Relevance: .2, Instructions: 217COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.257565474.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0e2485a49000faf9c391879688e9b5e225fd87014c554ddefd85aecfbad5fb83
                                                                                                                    • Instruction ID: 11ab859d6555a32b7eb7c3eb50f2402f59b09e7704f5b2f08f1c6975f92187ad
                                                                                                                    • Opcode Fuzzy Hash: 0e2485a49000faf9c391879688e9b5e225fd87014c554ddefd85aecfbad5fb83
                                                                                                                    • Instruction Fuzzy Hash: 45C119F1D91746CADB10CF65E8883993BA1BB843ACFD04B09D2612F6D0D7B8116ACF94
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Analysis Process: inmyB8Hxr9.exe PID: 6456 Parent PID: 6176 inmyB8Hxr9.exeCOMMON

                                                                                                                    Executed Functions

                                                                                                                    Function 03193D50, Relevance: 1.8, APIs: 1, Instructions: 276COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 03194116
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4139908857-0
                                                                                                                    • Opcode ID: e613c68a07a74b3addd78b7ae96164d316325717315a45837fe7c43f53254243
                                                                                                                    • Instruction ID: bfbb8170938634c4a802053127228e6269e6b6d79b68748789efd8eb1b8c38ec
                                                                                                                    • Opcode Fuzzy Hash: e613c68a07a74b3addd78b7ae96164d316325717315a45837fe7c43f53254243
                                                                                                                    • Instruction Fuzzy Hash: BDA16978A007059FDB14EF69C88466EBBF2FF8C204B148A2AD51ACB751DF34E9058B91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0161E1C8, Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.491712832.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 02643f0a3e850046087878d72ee35c0ef403ae2bc07c828aeb23b3837c56edbe
                                                                                                                    • Instruction ID: 03e1f0869309aecb80bdaff8e47ec89005984c19d2ebe025349505f752be622c
                                                                                                                    • Opcode Fuzzy Hash: 02643f0a3e850046087878d72ee35c0ef403ae2bc07c828aeb23b3837c56edbe
                                                                                                                    • Instruction Fuzzy Hash: 4D412372E043598FCB05DFB9C8046AEBBF1EF89210F09826AD904E7351DB749845CBE0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03193567, Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031951A2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 716092398-0
                                                                                                                    • Opcode ID: 74390808a1ccf25604a611d7053b400cdaa5c29f10647de93e6276db3791f1df
                                                                                                                    • Instruction ID: 77917b1b60b499962f206db6cf64b8cb8e6183131bcceff845a7806c510ff2ea
                                                                                                                    • Opcode Fuzzy Hash: 74390808a1ccf25604a611d7053b400cdaa5c29f10647de93e6276db3791f1df
                                                                                                                    • Instruction Fuzzy Hash: BF51BFB1D103099FDF15CF99C884ADEBBB6BF48354F64812AE819AB210D774A885CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03195084, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031951A2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 716092398-0
                                                                                                                    • Opcode ID: 4b540666316a4403b862a279a0433c4ee7ced3efe3e429f8b2875662f72acd9e
                                                                                                                    • Instruction ID: d2568e57f0a102ee3ebd9c1cb5ad506e281aa869a85dfb59b87d5fbd78ab2b0d
                                                                                                                    • Opcode Fuzzy Hash: 4b540666316a4403b862a279a0433c4ee7ced3efe3e429f8b2875662f72acd9e
                                                                                                                    • Instruction Fuzzy Hash: 0451D2B1D103099FDF15CFA9C884ADEFBB6BF49314F24812AE819AB210D774A845CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03193574, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031951A2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 716092398-0
                                                                                                                    • Opcode ID: ff057900ea900b84b50d0c7a8490b8975bccfa9e5881cfed0eead952aa6d56db
                                                                                                                    • Instruction ID: 9ee6588881f475c0ecc8c9520004192c5d51352fd929a17f8e7d296c96564c8f
                                                                                                                    • Opcode Fuzzy Hash: ff057900ea900b84b50d0c7a8490b8975bccfa9e5881cfed0eead952aa6d56db
                                                                                                                    • Instruction Fuzzy Hash: 3F51B0B1D103099FDF15CF99C884ADEFBB6BF49314F64812AE819AB210D775A885CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0319779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 03197F09
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: CallProcWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2714655100-0
                                                                                                                    • Opcode ID: 8ad18a4ca5e65298f4598972e16a97bb25a6aceae7931b011e5f481fdf70633c
                                                                                                                    • Instruction ID: e56263c305e15a94771cf612525508d0d5a5b5ec3f8f8cb5a27b75c66aeecc59
                                                                                                                    • Opcode Fuzzy Hash: 8ad18a4ca5e65298f4598972e16a97bb25a6aceae7931b011e5f481fdf70633c
                                                                                                                    • Instruction Fuzzy Hash: C64119B99103098FDB14CF99C488AAABBF9FF8C314F15C459E529AB351D774A841CFA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0319651C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,03196B2E,?,?,?,?,?), ref: 03196BEF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3793708945-0
                                                                                                                    • Opcode ID: 99a72bc816f64469eaff53bebc212c4b32e35ffc46e0d1814e688ba78dfb91d2
                                                                                                                    • Instruction ID: a674000d3c67dde0cc54c974167f098c26408842834507372580f5d0077fa753
                                                                                                                    • Opcode Fuzzy Hash: 99a72bc816f64469eaff53bebc212c4b32e35ffc46e0d1814e688ba78dfb91d2
                                                                                                                    • Instruction Fuzzy Hash: A121E3B59042089FDB10CF99D984AEEFBF8EB48324F14842AE915A7310D374A954CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03196B63, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,03196B2E,?,?,?,?,?), ref: 03196BEF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3793708945-0
                                                                                                                    • Opcode ID: 6cdd0a5a8a9c3e92718c889d550154e5760d2c0c557d26082c44f7d4ea882a03
                                                                                                                    • Instruction ID: a8914d0de69a613ee85041e0b1bf3db6ea0c73e84b037a4ba14b8dd5db16a396
                                                                                                                    • Opcode Fuzzy Hash: 6cdd0a5a8a9c3e92718c889d550154e5760d2c0c557d26082c44f7d4ea882a03
                                                                                                                    • Instruction Fuzzy Hash: 4121E4B59002099FDF10CF99D984ADEFBF8FB48324F14842AE914A3310D375A954CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0319C191, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 0319C212
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: EncodePointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2118026453-0
                                                                                                                    • Opcode ID: 151f6dc6d0337851c31f91925cd4829d0dec1941daa5945f26092454b994122c
                                                                                                                    • Instruction ID: 636e77865c752498d74b0e1e37a55605744b9755d3a493713951e7aa697916af
                                                                                                                    • Opcode Fuzzy Hash: 151f6dc6d0337851c31f91925cd4829d0dec1941daa5945f26092454b994122c
                                                                                                                    • Instruction Fuzzy Hash: E12189B19403498FDF20DFA9D9487AEBBF8FB4C314F24852AD485A7640D7386944CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0161CD2C, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0161E21A), ref: 0161E307
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.491712832.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: GlobalMemoryStatus
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1890195054-0
                                                                                                                    • Opcode ID: a168d3004019658f0822495968c765df86e00f66fe5a3eaa4a8cba3a5fa41f8b
                                                                                                                    • Instruction ID: fac04a0bcf8752194703cccbae13ee2cde418d62ea5d6106515ac29672d19435
                                                                                                                    • Opcode Fuzzy Hash: a168d3004019658f0822495968c765df86e00f66fe5a3eaa4a8cba3a5fa41f8b
                                                                                                                    • Instruction Fuzzy Hash: 3F1133B1C046199FCB00DF9AD844BDEFBF4AB48224F15812AE918A7240D378A954CFE1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0319C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 0319C212
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: EncodePointer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2118026453-0
                                                                                                                    • Opcode ID: 5d7cf3d155a4f2d059d58c08808ae443536ca44fc2bb00e1e69d82516ece9dd4
                                                                                                                    • Instruction ID: 094a56436d4541a0231da8d8c3169d0ccaec22802e225e315cbf73f210917a5d
                                                                                                                    • Opcode Fuzzy Hash: 5d7cf3d155a4f2d059d58c08808ae443536ca44fc2bb00e1e69d82516ece9dd4
                                                                                                                    • Instruction Fuzzy Hash: A81197B19403498FDF20DFA9D94879EBBF8FB4C314F24842AD445AB640D739A944CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0161E29A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0161E21A), ref: 0161E307
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.491712832.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: GlobalMemoryStatus
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1890195054-0
                                                                                                                    • Opcode ID: 0a61d165da278f754d1b874897ac4c651b26d20c589da153a51639272079d75c
                                                                                                                    • Instruction ID: 09d36909a67cab960731009b9a76a85af90a4f2fbfd018b2c0d39bbda443ff2e
                                                                                                                    • Opcode Fuzzy Hash: 0a61d165da278f754d1b874897ac4c651b26d20c589da153a51639272079d75c
                                                                                                                    • Instruction Fuzzy Hash: B21103B1C046599FCB00DF9AC444BDEFBF4AF48224F15816AD918A7240D378A954CFE1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03193300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 03194116
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4139908857-0
                                                                                                                    • Opcode ID: b3d889a49122b9f4c51c09c1189a67348409ca1ad9bbc7c4fdd7b31f482bcc4f
                                                                                                                    • Instruction ID: 841a25f1505284134546aad974f8c41e99ba8d02686dda936fb0d1c2fab0da12
                                                                                                                    • Opcode Fuzzy Hash: b3d889a49122b9f4c51c09c1189a67348409ca1ad9bbc7c4fdd7b31f482bcc4f
                                                                                                                    • Instruction Fuzzy Hash: 881143B6C042498FDB10DF9AC444BDEFBF4EB88224F15842AD829B7200D378A546CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 031940AB, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 03194116
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4139908857-0
                                                                                                                    • Opcode ID: b16a411b25402b0eec6bc828fe236a5b3372f2ad1a949bd9e6c064d25c8d281e
                                                                                                                    • Instruction ID: 37486d859447b337b9d65e6fac5a8f1c4485363d256f0a564dde9c33f26ac73d
                                                                                                                    • Opcode Fuzzy Hash: b16a411b25402b0eec6bc828fe236a5b3372f2ad1a949bd9e6c064d25c8d281e
                                                                                                                    • Instruction Fuzzy Hash: DA1113B2C042498FDB10DF9AC844BDEFBF4EB88224F15842AD429B7200D379A546CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03194080, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 03194116
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.493140879.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4139908857-0
                                                                                                                    • Opcode ID: 41913e258bcc4f9e5124656764c86decc98e08ad471dce528380be64f4aab18d
                                                                                                                    • Instruction ID: 91fe1273f13d65b51e600169b0e1b7bbd5e19408e8fb8a4dc9d754879ba2cc40
                                                                                                                    • Opcode Fuzzy Hash: 41913e258bcc4f9e5124656764c86decc98e08ad471dce528380be64f4aab18d
                                                                                                                    • Instruction Fuzzy Hash: 160146B18006448FEB14CF8AD444389BBF0EFAC318F28C2AAC008A7211D339A046CFA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0165D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.492036481.000000000165D000.00000040.00000001.sdmp, Offset: 0165D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0cdfc4aca81fd55f823735e97acbe37587f398594c9800330a94ba6baa9de4fd
                                                                                                                    • Instruction ID: 68a5267c03cc0894c8f8cc7618475ff83153cab20759293557ad1664763a7b66
                                                                                                                    • Opcode Fuzzy Hash: 0cdfc4aca81fd55f823735e97acbe37587f398594c9800330a94ba6baa9de4fd
                                                                                                                    • Instruction Fuzzy Hash: 4E2122B1508204DFDB51CF54DCC0B26BBA5FB88364F20C5A9ED4A4B386C33AD847CAA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0165D005, Relevance: .1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.492036481.000000000165D000.00000040.00000001.sdmp, Offset: 0165D000, based on PE: false
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c2d30c4f82c4674ff2c317994c097a3bd8392f4ecc89915e4a04ec8321bc06b0
                                                                                                                    • Instruction ID: 0f77e6c6f7b3d5740858d28086c6cb01942b6f58ac72d82e21a4ccd0f0b01fc2
                                                                                                                    • Opcode Fuzzy Hash: c2d30c4f82c4674ff2c317994c097a3bd8392f4ecc89915e4a04ec8321bc06b0
                                                                                                                    • Instruction Fuzzy Hash: 08218E755083809FDB02CF24D994B15BF71EB46214F28C5EAD8498F2A7C33A985ACB62
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions