Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report E3rDVPhyAf

Overview

General Information

Sample Name:E3rDVPhyAf (renamed file extension from none to exe)
Analysis ID:359421
MD5:477e66eb6c969823890eaa56105a3801
SHA1:75647c701d04f64dbea02eead7a693ae8b7dcbc8
SHA256:ab67847cf268c5dba3796b0c022148da53a39b857061fe93a9d704c9844647d8
Tags:HiddenTear
Infos:

Most interesting Screenshot:

Detection

HiddenTear
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected HiddenTear ransomware
.NET source code contains very large array initializations
Machine Learning detection for sample
Detected potential crypto function
Enables debug privileges
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • E3rDVPhyAf.exe (PID: 5492 cmdline: 'C:\Users\user\Desktop\E3rDVPhyAf.exe' MD5: 477E66EB6C969823890EAA56105A3801)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
E3rDVPhyAf.exeJoeSecurity_hidden_tearYara detected HiddenTear ransomwareJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.220308263.0000000000072000.00000002.00020000.sdmpJoeSecurity_hidden_tearYara detected HiddenTear ransomwareJoe Security
      00000000.00000002.485903265.0000000000072000.00000002.00020000.sdmpJoeSecurity_hidden_tearYara detected HiddenTear ransomwareJoe Security
        Process Memory Space: E3rDVPhyAf.exe PID: 5492JoeSecurity_hidden_tearYara detected HiddenTear ransomwareJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.E3rDVPhyAf.exe.70000.0.unpackJoeSecurity_hidden_tearYara detected HiddenTear ransomwareJoe Security
            0.0.E3rDVPhyAf.exe.de93c.3.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
            • 0x4596b:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
            • 0x452e3:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
            0.2.E3rDVPhyAf.exe.de93c.3.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
            • 0x4596b:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
            • 0x452e3:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
            0.2.E3rDVPhyAf.exe.de93c.3.raw.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
            • 0x6756b:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
            • 0x66ee3:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
            0.0.E3rDVPhyAf.exe.de93c.3.raw.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
            • 0x6756b:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
            • 0x66ee3:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: E3rDVPhyAf.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: E3rDVPhyAf.exeVirustotal: Detection: 77%Perma Link
            Source: E3rDVPhyAf.exeReversingLabs: Detection: 86%
            Machine Learning detection for sampleShow sources
            Source: E3rDVPhyAf.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: E3rDVPhyAf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: System.Windows.Forms.pdb source: E3rDVPhyAf.exe, 00000000.00000002.502555949.0000000008BC8000.00000004.00000001.sdmp
            Source: Binary string: \hidden-tear\hidden-tear\obj\Release\hidden-tear.pdb source: E3rDVPhyAf.exe
            Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdbw source: E3rDVPhyAf.exe, 00000000.00000002.502555949.0000000008BC8000.00000004.00000001.sdmp
            Source: Binary string: D:\Sanghee Workspace\Project bakaware\bakaware\Touhou_ScoreOrEncrypt\Release\Touhou_ScoreOrEncrypt.pdb source: E3rDVPhyAf.exe
            Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbV source: E3rDVPhyAf.exe, 00000000.00000002.502555949.0000000008BC8000.00000004.00000001.sdmp
            Source: Binary string: \hidden-tear-decrypter\hidden-tear-decrypter\obj\Release\hidden-tear-decrypter.pdb source: E3rDVPhyAf.exe
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: E3rDVPhyAf.exe
            Source: unknownDNS traffic detected: query: alex4386networks.mooo.com replaycode: Name error (3)
            Source: unknownDNS traffic detected: queries for: alex4386networks.mooo.com
            Source: E3rDVPhyAf.exe, 00000000.00000002.489235799.00000000025B3000.00000004.00000001.sdmpString found in binary or memory: http://alex4386networks.mooo.com
            Source: E3rDVPhyAf.exeString found in binary or memory: http://alex4386networks.mooo.com/bamboo-forest/write.php?
            Source: E3rDVPhyAf.exe, 00000000.00000002.489087124.0000000002597000.00000004.00000001.sdmpString found in binary or memory: http://alex4386networks.mooo.com/bamboo-forest/write.php?computername=226533&&information=user&&pa
            Source: E3rDVPhyAf.exe, 00000000.00000002.489235799.00000000025B3000.00000004.00000001.sdmpString found in binary or memory: http://alex4386networks.moooP
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: E3rDVPhyAf.exe, 00000000.00000002.489235799.00000000025B3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: E3rDVPhyAf.exe, 00000000.00000002.488447681.0000000000D27000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: E3rDVPhyAf.exe, 00000000.00000002.488447681.0000000000D27000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: E3rDVPhyAf.exe, 00000000.00000002.488447681.0000000000D27000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: E3rDVPhyAf.exeString found in binary or memory: https://github.com/alforeplay/Touhou_ScoreOrEncrypthttps://youtu.be/5wFDWP5JwSMstart
            Source: E3rDVPhyAf.exeString found in binary or memory: https://youtu.be/5wFDWP5JwSM
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeCode function: 0_2_06AB72F8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_06AB72F8

            Spam, unwanted Advertisements and Ransom Demands:

            barindex
            Yara detected HiddenTear ransomwareShow sources
            Source: Yara matchFile source: E3rDVPhyAf.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.220308263.0000000000072000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.485903265.0000000000072000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: E3rDVPhyAf.exe PID: 5492, type: MEMORY
            Source: Yara matchFile source: 0.0.E3rDVPhyAf.exe.70000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.E3rDVPhyAf.exe.70000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            .NET source code contains very large array initializationsShow sources
            Source: E3rDVPhyAf.exe, hidden_tear/Form1.csLarge array initialization: messageCreator: array initializer size 403347
            Source: 0.2.E3rDVPhyAf.exe.70000.0.unpack, hidden_tear/Form1.csLarge array initialization: messageCreator: array initializer size 403347
            Source: 0.0.E3rDVPhyAf.exe.70000.0.unpack, hidden_tear/Form1.csLarge array initialization: messageCreator: array initializer size 403347
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeCode function: 0_2_00A0C1540_2_00A0C154
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeCode function: 0_2_00A0E5890_2_00A0E589
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeCode function: 0_2_00A0E5980_2_00A0E598
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeCode function: 0_2_06AB53000_2_06AB5300
            Source: E3rDVPhyAf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: E3rDVPhyAf.exeBinary or memory string: OriginalFilename vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000000.220352752.00000000000D9000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehidden-tear-decrypter.exeL vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000000.220352752.00000000000D9000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehidden-tear.exe8 vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.502130922.0000000008210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.489397825.00000000025C7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.489397825.00000000025C7000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\040904B0\\OriginalFilename vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.489397825.00000000025C7000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.489397825.00000000025C7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.489397825.00000000025C7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.489397825.00000000025C7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.489397825.00000000025C7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.489397825.00000000025C7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.489397825.00000000025C7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.489397825.00000000025C7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.494849605.0000000006A00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exe, 00000000.00000002.494823590.00000000069F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exeBinary or memory string: OriginalFilenamehidden-tear-decrypter.exeL vs E3rDVPhyAf.exe
            Source: E3rDVPhyAf.exeBinary or memory string: OriginalFilenamehidden-tear.exe8 vs E3rDVPhyAf.exe
            Source: 0.0.E3rDVPhyAf.exe.de93c.3.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
            Source: 0.2.E3rDVPhyAf.exe.de93c.3.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
            Source: 0.2.E3rDVPhyAf.exe.de93c.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
            Source: 0.0.E3rDVPhyAf.exe.de93c.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
            Source: 0.0.E3rDVPhyAf.exe.70000.0.unpack, hidden_tear/Form1.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.Directory::GetAccessControl(System.String)
            Source: 0.0.E3rDVPhyAf.exe.70000.0.unpack, hidden_tear/Form1.csSecurity API names: System.Security.AccessControl.AuthorizationRuleCollection System.Security.AccessControl.CommonObjectSecurity::GetAccessRules(System.Boolean,System.Boolean,System.Type)
            Source: 0.2.E3rDVPhyAf.exe.70000.0.unpack, hidden_tear/Form1.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.Directory::GetAccessControl(System.String)
            Source: 0.2.E3rDVPhyAf.exe.70000.0.unpack, hidden_tear/Form1.csSecurity API names: System.Security.AccessControl.AuthorizationRuleCollection System.Security.AccessControl.CommonObjectSecurity::GetAccessRules(System.Boolean,System.Boolean,System.Type)
            Source: E3rDVPhyAf.exe, hidden_tear/Form1.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.Directory::GetAccessControl(System.String)
            Source: E3rDVPhyAf.exe, hidden_tear/Form1.csSecurity API names: System.Security.AccessControl.AuthorizationRuleCollection System.Security.AccessControl.CommonObjectSecurity::GetAccessRules(System.Boolean,System.Boolean,System.Type)
            Source: E3rDVPhyAf.exeBinary or memory string: .pptx.odt.jpg.png.csv.sql.mdb.sln.php.asp
            Source: classification engineClassification label: mal80.rans.winEXE@1/0@1/0
            Source: E3rDVPhyAf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: E3rDVPhyAf.exeVirustotal: Detection: 77%
            Source: E3rDVPhyAf.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeFile read: C:\Users\user\Desktop\E3rDVPhyAf.exeJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeAutomated click: Continue
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeAutomated click: Continue
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: E3rDVPhyAf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: E3rDVPhyAf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: E3rDVPhyAf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: System.Windows.Forms.pdb source: E3rDVPhyAf.exe, 00000000.00000002.502555949.0000000008BC8000.00000004.00000001.sdmp
            Source: Binary string: \hidden-tear\hidden-tear\obj\Release\hidden-tear.pdb source: E3rDVPhyAf.exe
            Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdbw source: E3rDVPhyAf.exe, 00000000.00000002.502555949.0000000008BC8000.00000004.00000001.sdmp
            Source: Binary string: D:\Sanghee Workspace\Project bakaware\bakaware\Touhou_ScoreOrEncrypt\Release\Touhou_ScoreOrEncrypt.pdb source: E3rDVPhyAf.exe
            Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbV source: E3rDVPhyAf.exe, 00000000.00000002.502555949.0000000008BC8000.00000004.00000001.sdmp
            Source: Binary string: \hidden-tear-decrypter\hidden-tear-decrypter\obj\Release\hidden-tear-decrypter.pdb source: E3rDVPhyAf.exe
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: E3rDVPhyAf.exe
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeCode function: 0_2_000752C6 push cs; ret 0_2_000752C9

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (5001).png
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: E3rDVPhyAf.exe, 00000000.00000002.502130922.0000000008210000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: E3rDVPhyAf.exe, 00000000.00000002.502130922.0000000008210000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: E3rDVPhyAf.exe, 00000000.00000002.502130922.0000000008210000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: E3rDVPhyAf.exe, 00000000.00000002.502130922.0000000008210000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeMemory allocated: page read and write | page guardJump to behavior
            Source: E3rDVPhyAf.exe, 00000000.00000002.488478361.0000000000F30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: E3rDVPhyAf.exe, 00000000.00000002.488478361.0000000000F30000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: E3rDVPhyAf.exe, 00000000.00000002.488478361.0000000000F30000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: E3rDVPhyAf.exe, 00000000.00000002.488478361.0000000000F30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: E3rDVPhyAf.exe, 00000000.00000002.488478361.0000000000F30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Users\user\Desktop\E3rDVPhyAf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\E3rDVPhyAf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1Input Capture1Security Software Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            E3rDVPhyAf.exe77%VirustotalBrowse
            E3rDVPhyAf.exe87%ReversingLabsByteCode-MSIL.Ransomware.HiddenTear
            E3rDVPhyAf.exe100%AviraHEUR/AGEN.1129970
            E3rDVPhyAf.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.E3rDVPhyAf.exe.70000.0.unpack100%AviraHEUR/AGEN.1129970Download File
            0.0.E3rDVPhyAf.exe.70000.0.unpack100%AviraHEUR/AGEN.1129970Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://alex4386networks.moooP0%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            alex4386networks.mooo.com
            		unknown
            		unknownfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.comE3rDVPhyAf.exe, 00000000.00000002.488447681.0000000000D27000.00000004.00000040.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                        		high
                        https://youtu.be/5wFDWP5JwSME3rDVPhyAf.exefalse
                          		high
                          http://www.tiro.comE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://alex4386networks.moooPE3rDVPhyAf.exe, 00000000.00000002.489235799.00000000025B3000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://github.com/alforeplay/Touhou_ScoreOrEncrypthttps://youtu.be/5wFDWP5JwSMstartE3rDVPhyAf.exefalse
                              		high
                              http://alex4386networks.mooo.com/bamboo-forest/write.php?computername=226533&&information=user&&paE3rDVPhyAf.exe, 00000000.00000002.489087124.0000000002597000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.come.comE3rDVPhyAf.exe, 00000000.00000002.488447681.0000000000D27000.00000004.00000040.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.commE3rDVPhyAf.exe, 00000000.00000002.488447681.0000000000D27000.00000004.00000040.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8E3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fonts.comE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://alex4386networks.mooo.com/bamboo-forest/write.php?E3rDVPhyAf.exefalse
                                          		high
                                          http://www.urwpp.deDPleaseE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://alex4386networks.mooo.comE3rDVPhyAf.exe, 00000000.00000002.489235799.00000000025B3000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.zhongyicts.com.cnE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameE3rDVPhyAf.exe, 00000000.00000002.489235799.00000000025B3000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sakkal.comE3rDVPhyAf.exe, 00000000.00000002.493519577.00000000054E0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox Version:31.0.0 Emerald
                                              Analysis ID:359421
                                              Start date:28.02.2021
                                              Start time:09:43:48
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 6m 30s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:E3rDVPhyAf (renamed file extension from none to exe)
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:23
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal80.rans.winEXE@1/0@1/0
                                              EGA Information:Failed
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 21
                                              • Number of non-executed functions: 3
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 51.104.139.180, 93.184.220.29, 104.43.139.144, 168.61.161.212, 92.122.145.220, 13.64.90.137, 184.30.24.56, 51.103.5.186, 51.104.144.132, 92.122.213.247, 92.122.213.194, 20.54.26.129
                                              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              No created / dropped files found

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):5.882696011817744
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.72%
                                              • Win32 Executable (generic) a (10002005/4) 49.68%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • InstallShield setup (43055/19) 0.21%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:E3rDVPhyAf.exe
                                              File size:951296
                                              MD5:477e66eb6c969823890eaa56105a3801
                                              SHA1:75647c701d04f64dbea02eead7a693ae8b7dcbc8
                                              SHA256:ab67847cf268c5dba3796b0c022148da53a39b857061fe93a9d704c9844647d8
                                              SHA512:a26952e605162550d71277260e86692eb58852e6591f282ae24d000a0db74cb9c10bcbe36b681d705c44c972cbe9835ad1bdb478ff2fe563f1464f5fa82e00e3
                                              SSDEEP:12288:AidAAQb4cjwbg+6uVoDDWcNzbeCuf3XLpRcnXWM1z/O8Ai:AAA4R9VgWcNzluf3XLpRcnf9/9A
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)lY.........."...0.............6.... ... ....@.. ....................................`................................

                                              File Icon

                                              Icon Hash:6eecccccd6d2f2f2

                                              Static PE Info

                                              General

                                              Entrypoint:0x46e936
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                              Time Stamp:0x596C2993 [Mon Jul 17 03:05:55 2017 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              dec ebp
                                              pop edx
                                              nop
                                              add byte ptr [ebx], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax+eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6e8e40x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x18c60.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xec0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x6e7ac0x1c.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xcf0dc0xcf200False0.451249669961data5.96735108385IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0xd20000x18c600x18e00False0.146778815955data4.30108665856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xec0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0xd21800x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0xd47380x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0xd57f00x468GLS_BINARY_LSB_FIRST
                                              RT_ICON0xd5c680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0xd9ea00x10828dBase III DBT, version number 0, next free block index 40
                                              RT_GROUP_ICON0xea6d80x4cdata
                                              RT_VERSION0xea7340x32cdata
                                              RT_MANIFEST0xeaa700x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright 2015
                                              Assembly Version1.0.0.0
                                              InternalNamehidden-tear.exe
                                              FileVersion1.0.0.0
                                              CompanyName
                                              LegalTrademarks
                                              Comments
                                              ProductNamehidden-tear
                                              ProductVersion1.0.0.0
                                              FileDescriptionhidden-tear
                                              OriginalFilenamehidden-tear.exe

                                              Network Behavior

                                              Network Port Distribution

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Feb 28, 2021 09:44:27.635478020 CET5430253192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:27.674993038 CET5378453192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:27.685625076 CET53543028.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:27.725671053 CET53537848.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:27.809909105 CET6530753192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:27.861484051 CET53653078.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:27.985306025 CET6434453192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:28.035031080 CET53643448.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:28.126456022 CET6206053192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:28.175209999 CET53620608.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:28.985852003 CET6180553192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:29.042948961 CET53618058.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:29.961020947 CET5479553192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:30.009799957 CET53547958.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:30.787404060 CET4955753192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:30.845807076 CET53495578.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:30.905581951 CET6173353192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:30.954255104 CET53617338.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:32.706662893 CET6544753192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:32.763690948 CET53654478.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:34.392944098 CET5244153192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:34.453058004 CET53524418.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:35.675937891 CET6217653192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:35.727477074 CET53621768.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:44.549438953 CET5959653192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:44.606563091 CET53595968.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:45.369242907 CET6529653192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:45.547718048 CET53652968.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:45.734170914 CET6318353192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:45.784759998 CET53631838.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:46.964463949 CET6015153192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:47.014899015 CET53601518.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:48.139588118 CET5696953192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:48.188465118 CET53569698.8.8.8192.168.2.5
                                              Feb 28, 2021 09:44:58.277153015 CET5516153192.168.2.58.8.8.8
                                              Feb 28, 2021 09:44:58.339823008 CET53551618.8.8.8192.168.2.5
                                              Feb 28, 2021 09:45:02.681272984 CET5475753192.168.2.58.8.8.8
                                              Feb 28, 2021 09:45:02.731597900 CET53547578.8.8.8192.168.2.5
                                              Feb 28, 2021 09:45:23.230042934 CET4999253192.168.2.58.8.8.8
                                              Feb 28, 2021 09:45:23.280354977 CET53499928.8.8.8192.168.2.5
                                              Feb 28, 2021 09:45:25.573909998 CET6007553192.168.2.58.8.8.8
                                              Feb 28, 2021 09:45:25.622632027 CET53600758.8.8.8192.168.2.5
                                              Feb 28, 2021 09:45:35.503078938 CET5501653192.168.2.58.8.8.8
                                              Feb 28, 2021 09:45:35.561177969 CET53550168.8.8.8192.168.2.5
                                              Feb 28, 2021 09:45:58.166259050 CET6434553192.168.2.58.8.8.8
                                              Feb 28, 2021 09:45:58.240041018 CET53643458.8.8.8192.168.2.5
                                              Feb 28, 2021 09:46:14.109016895 CET5712853192.168.2.58.8.8.8
                                              Feb 28, 2021 09:46:14.157958031 CET53571288.8.8.8192.168.2.5
                                              Feb 28, 2021 09:46:15.580590010 CET5479153192.168.2.58.8.8.8
                                              Feb 28, 2021 09:46:15.657416105 CET53547918.8.8.8192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Feb 28, 2021 09:44:45.369242907 CET192.168.2.58.8.8.80xcb29Standard query (0)alex4386networks.mooo.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Feb 28, 2021 09:44:45.547718048 CET8.8.8.8192.168.2.50xcb29Name error (3)alex4386networks.mooo.comnonenoneA (IP address)IN (0x0001)

                                              Code Manipulations

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              System Behavior

                                              Analysis Process: E3rDVPhyAf.exe PID: 5492 Parent PID: 5656

                                              General

                                              Start time:09:44:34
                                              Start date:28/02/2021
                                              Path:C:\Users\user\Desktop\E3rDVPhyAf.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\E3rDVPhyAf.exe'
                                              Imagebase:0x70000
                                              File size:951296 bytes
                                              MD5 hash:477E66EB6C969823890EAA56105A3801
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_hidden_tear, Description: Yara detected HiddenTear ransomware, Source: 00000000.00000000.220308263.0000000000072000.00000002.00020000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_hidden_tear, Description: Yara detected HiddenTear ransomware, Source: 00000000.00000002.485903265.0000000000072000.00000002.00020000.sdmp, Author: Joe Security
                                              Reputation:low

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: E3rDVPhyAf.exe PID: 5492 Parent PID: 5656 E3rDVPhyAf.exeCOMMON

                                                Executed Functions

                                                Function 06AB5300, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.494968335.0000000006AB0000.00000040.00000001.sdmp, Offset: 06AB0000, based on PE: false
                                                Similarity
                                                • API ID: DispatchMessage
                                                • String ID:
                                                • API String ID: 2061451462-0
                                                • Opcode ID: f960bea1e267e320dbd26254be297068b848380b53048697945790d0e77e5516
                                                • Instruction ID: c81833e7b9517ba33c786a7337a2cb37b7711ca0d052849848350ce516433b4d
                                                • Opcode Fuzzy Hash: f960bea1e267e320dbd26254be297068b848380b53048697945790d0e77e5516
                                                • Instruction Fuzzy Hash: 0DF12B30E00208CFEB54EFA5C944B9DBBF6BF88314F559568D409AF2A6DB70E945CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A0E589, Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f60d18eb308a6555fef12b8c6c2415e5a5502d4bc86a65f5b59728c2fbe09a25
                                                • Instruction ID: 6e47b0d7f94e928bc826d42022327cdbfc0279788fc5846337c3a691b078a341
                                                • Opcode Fuzzy Hash: f60d18eb308a6555fef12b8c6c2415e5a5502d4bc86a65f5b59728c2fbe09a25
                                                • Instruction Fuzzy Hash: 5AC127B1C11B458BD714CFB9ED882897BA1BB85368F514309F2616BAF0D7B4118BEF84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A0B6A0, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00A0B710
                                                • GetCurrentThread.KERNEL32 ref: 00A0B74D
                                                • GetCurrentProcess.KERNEL32 ref: 00A0B78A
                                                • GetCurrentThreadId.KERNEL32 ref: 00A0B7E3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: aba849a9f4732b330487976d28ad50c6e0133722988f1c8ef34c7772153f7ab1
                                                • Instruction ID: ed1b7047a8447b6d9ec13f97ed3d88c9c62bcf594664378c94e7cf6d56137eb9
                                                • Opcode Fuzzy Hash: aba849a9f4732b330487976d28ad50c6e0133722988f1c8ef34c7772153f7ab1
                                                • Instruction Fuzzy Hash: ED5159B09056498FDB14CFA9D6487DEBBF1BF89304F148499D409A73A0C7749948CF29
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A0B6B0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00A0B710
                                                • GetCurrentThread.KERNEL32 ref: 00A0B74D
                                                • GetCurrentProcess.KERNEL32 ref: 00A0B78A
                                                • GetCurrentThreadId.KERNEL32 ref: 00A0B7E3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 17d512bac87a0bad9dd17e30fe7c286503fe964664195c7e81eec0c826943005
                                                • Instruction ID: 69617389849f0da7b29c7b9202db93d15596019d8b6bc42a7b8f86026bef2a30
                                                • Opcode Fuzzy Hash: 17d512bac87a0bad9dd17e30fe7c286503fe964664195c7e81eec0c826943005
                                                • Instruction Fuzzy Hash: 5C5166B09016088FDB14CFA9D6487DEBBF0BF89304F108459E409A32A0C774A888CF69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A096B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 196COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00A098F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID: pNf$pNf
                                                • API String ID: 4139908857-3819835515
                                                • Opcode ID: 1e7ca69ddc35a8ee9961158098cb24faf4bf88c0e34024733175cab1d2d3f1e7
                                                • Instruction ID: 448773c4a628ecb8499ed2b6a87a62d5f5c32d5a9ab8f8745c3dde8f3c44ed08
                                                • Opcode Fuzzy Hash: 1e7ca69ddc35a8ee9961158098cb24faf4bf88c0e34024733175cab1d2d3f1e7
                                                • Instruction Fuzzy Hash: AE711470A00B098FDB24DF6AD15569BB7F1BF88304F108929D48AD7B91DB35E84ACB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06AB0768, Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,00000000,?,00000000,00000000), ref: 06AB0888
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.494968335.0000000006AB0000.00000040.00000001.sdmp, Offset: 06AB0000, based on PE: false
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 381b6c48dd042bed09727253909f486908b9a4374de0108a97d776f0a1eb3857
                                                • Instruction ID: 9ce490c3fe78c9c0c06c66d69826bd7b2e84bcd0d166756fe6877e382bc1d2c3
                                                • Opcode Fuzzy Hash: 381b6c48dd042bed09727253909f486908b9a4374de0108a97d776f0a1eb3857
                                                • Instruction Fuzzy Hash: B2413D71B002049FDB54EFA9C8859AEBBF5FF88314F155069E505EB362DA31ED41CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A0FD0C, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A0FE2A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 39f65592abe8de28e89fa869f3184c30e487e0af94d9825ac5833d7789a54ad3
                                                • Instruction ID: 967757d507264f70e282f0f3246aefeb2e03d203e83bfb4ac6b71c6a95e255a0
                                                • Opcode Fuzzy Hash: 39f65592abe8de28e89fa869f3184c30e487e0af94d9825ac5833d7789a54ad3
                                                • Instruction Fuzzy Hash: 3351DFB1D04308DFDB24CFA9D984ADEFBB1BF48314F24812AE818AB251D7709985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A0FD18, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A0FE2A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: a268d4f4d118ae0c2097911f9c357b0f2cc991ff857886038a68f6489deebc88
                                                • Instruction ID: 4870e0c366a764f544a67c2ef104807d503a382306c6d21b4b9da51ec756b3da
                                                • Opcode Fuzzy Hash: a268d4f4d118ae0c2097911f9c357b0f2cc991ff857886038a68f6489deebc88
                                                • Instruction Fuzzy Hash: 1441D0B1D00308DFDB14CF99D984ADEFBB5BF48314F24812AE818AB251D7709985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A05344, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00A05401
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 7a6d0b4faa2eb90ee7ec92ed85ed2b9625757db344ad1cf9d2595b60d1db426e
                                                • Instruction ID: 9c84972748dfe5623acab5d127a21b3a7ec81486ca4033ab68853e3cafd54622
                                                • Opcode Fuzzy Hash: 7a6d0b4faa2eb90ee7ec92ed85ed2b9625757db344ad1cf9d2595b60d1db426e
                                                • Instruction Fuzzy Hash: 0F410370C04618CFDB24CFA9C8847CEBBB5BF89304F24806AD409AB291D775598ACF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A03CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00A05401
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 9d23351d28e8578c41715df24ec29e4e30765f5693adf7060410270dfcfeddf7
                                                • Instruction ID: 4c84b40eaf63f5a21d703f646490ac1d49b631d70fee623945b52769754c299a
                                                • Opcode Fuzzy Hash: 9d23351d28e8578c41715df24ec29e4e30765f5693adf7060410270dfcfeddf7
                                                • Instruction Fuzzy Hash: 6641F271C0461CCBDB24CFA9C8847DEBBB5BF49304F248469D409BB291DB755989CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06AB5980, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.494968335.0000000006AB0000.00000040.00000001.sdmp, Offset: 06AB0000, based on PE: false
                                                Similarity
                                                • API ID: ActiveWindow
                                                • String ID:
                                                • API String ID: 2558294473-0
                                                • Opcode ID: 3a920f5b5085fbc19f85be4d878cae5746e437c1172b733936bd1eae191cd291
                                                • Instruction ID: 9e1ec5ae1148b6f4bd0773811d72609e5413294520d06fcb6ba186177c157962
                                                • Opcode Fuzzy Hash: 3a920f5b5085fbc19f85be4d878cae5746e437c1172b733936bd1eae191cd291
                                                • Instruction Fuzzy Hash: 5F319071D002448FEBA0EFA6C9887EEBBF8BF89318F14942DD51566242D7749059DF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06ABE80C, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06ABEFF5,?,?), ref: 06ABF0A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.494968335.0000000006AB0000.00000040.00000001.sdmp, Offset: 06AB0000, based on PE: false
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 6964eee1bcc364c3c1c01acedb0d83748970ba6056df02d90b63d60666d5a289
                                                • Instruction ID: b384c07728e273529d2ca24a5e9cf1842a3e0e708b332791b1c283bba8170983
                                                • Opcode Fuzzy Hash: 6964eee1bcc364c3c1c01acedb0d83748970ba6056df02d90b63d60666d5a289
                                                • Instruction Fuzzy Hash: DA31E3B5D002099FDB10DF9AD884ADEFBF8FB48324F18842AE815A7211D775A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A0B8D3, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A0B95F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 980a6fd58762c51ee439812f50703e30d223c079bb5e66db7f387876bb0690e0
                                                • Instruction ID: 03dc97568e19652c9bc75bfc29e38fa494baec3dc75a43cd27af89757ff0c551
                                                • Opcode Fuzzy Hash: 980a6fd58762c51ee439812f50703e30d223c079bb5e66db7f387876bb0690e0
                                                • Instruction Fuzzy Hash: 972100B5900208EFCB10CFA9D984AEEFBF4EB48324F14841AE954B3250C378A945CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A0B8D8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A0B95F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 2b41a879384239721ea3534f95ede1d1a93d3f115267ca30e634fbbc3a9aaff3
                                                • Instruction ID: 012e97cfc9fe29515a76e844736ad2c5a67c9c17e4655ba881321367a804d07b
                                                • Opcode Fuzzy Hash: 2b41a879384239721ea3534f95ede1d1a93d3f115267ca30e634fbbc3a9aaff3
                                                • Instruction Fuzzy Hash: 1221B0B5904208EFDB10CFA9D984ADEFBF8EB48324F14841AE954B3250D374A954DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A092C8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A09971,00000800,00000000,00000000), ref: 00A09B82
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: b9d92f7afdab0d5a26b15bcaaf9c1b3fca2e0ebcdc281ac20f2a6cada5ba68e8
                                                • Instruction ID: acec5ad212968b1e520f18047de9358eec34754318a03b9b5a595650706b6cbd
                                                • Opcode Fuzzy Hash: b9d92f7afdab0d5a26b15bcaaf9c1b3fca2e0ebcdc281ac20f2a6cada5ba68e8
                                                • Instruction Fuzzy Hash: 701103B69042098FCB10CF9AD544ADFFBF8EB89324F14842AE415A7241C375A945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06AB436C, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,06AB556F,00000000,035440C4,025601EC,00000000,?), ref: 06AB5CCD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.494968335.0000000006AB0000.00000040.00000001.sdmp, Offset: 06AB0000, based on PE: false
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 4286cd7600c1bbfc0a41bb383fad1c62d1ea70aa94d62f08cfba83a6682cc332
                                                • Instruction ID: 5cbe372979aaaca7ec507eaf31a63d539ba034d1fe4a8e566e66eb7d47086fd1
                                                • Opcode Fuzzy Hash: 4286cd7600c1bbfc0a41bb383fad1c62d1ea70aa94d62f08cfba83a6682cc332
                                                • Instruction Fuzzy Hash: 0E11D3B1D042499FDB10DF9AD984BDEBBF8FB49320F04842AE854A7241D378A544DFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A09B14, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A09971,00000800,00000000,00000000), ref: 00A09B82
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 77a03aa3986902eb09bc864c2d3df7d569337791f1fdf99b4f73b18957a121cf
                                                • Instruction ID: c373a56f010331ee03c09e42b3cbb1a2ced4472e9d97e912f2722cc2d8c464ff
                                                • Opcode Fuzzy Hash: 77a03aa3986902eb09bc864c2d3df7d569337791f1fdf99b4f73b18957a121cf
                                                • Instruction Fuzzy Hash: FB1144B68002088FCB20CFAAD484ADEFBF4AB88324F14841ED415B7240C379A945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06AB58C8, Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,?,?,?,?), ref: 06AB5930
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.494968335.0000000006AB0000.00000040.00000001.sdmp, Offset: 06AB0000, based on PE: false
                                                Similarity
                                                • API ID: MessagePeek
                                                • String ID:
                                                • API String ID: 2222842502-0
                                                • Opcode ID: 3bfd1e9adcfedd40cf98729223df9345eb66198ff20e5db548c8d8d37aa04c78
                                                • Instruction ID: dc5de2b1f23940d6db2de2b21140a3b4abb05d019ba0112d2821f85582c979bc
                                                • Opcode Fuzzy Hash: 3bfd1e9adcfedd40cf98729223df9345eb66198ff20e5db548c8d8d37aa04c78
                                                • Instruction Fuzzy Hash: F911E2B5C042099FDB10CF9AD984BDEBBF8FB48320F04842AE954A3241C378A945DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06AB6543, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06AB5627), ref: 06AB65A5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.494968335.0000000006AB0000.00000040.00000001.sdmp, Offset: 06AB0000, based on PE: false
                                                Similarity
                                                • API ID: DispatchMessage
                                                • String ID:
                                                • API String ID: 2061451462-0
                                                • Opcode ID: 81b13be29dcccc162d135e7fa774e676edab2396043af0a2bee678ff8b93abd8
                                                • Instruction ID: 47ac54e979a2725887a1e4c56c58f8253404b2dee33f4fbbc68f508273c316ad
                                                • Opcode Fuzzy Hash: 81b13be29dcccc162d135e7fa774e676edab2396043af0a2bee678ff8b93abd8
                                                • Instruction Fuzzy Hash: 161133B1C042488FCB10DF9AD544BCEFBF8EB48324F00852AD818B7241C378A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A09890, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00A098F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 25d17baf1aec62a67d1b331090ed53507058380c6b0b96f37cd68f59b7e8ba1d
                                                • Instruction ID: 7b26610b5ec6ba42dd51328aece2bcada806e5d6f1d555e652197b539017dd16
                                                • Opcode Fuzzy Hash: 25d17baf1aec62a67d1b331090ed53507058380c6b0b96f37cd68f59b7e8ba1d
                                                • Instruction Fuzzy Hash: 561110B5D002498FCB20CF9AD444BDEFBF4EB89324F14841AD829B7241D375A549CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06AB43A0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06AB5627), ref: 06AB65A5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.494968335.0000000006AB0000.00000040.00000001.sdmp, Offset: 06AB0000, based on PE: false
                                                Similarity
                                                • API ID: DispatchMessage
                                                • String ID:
                                                • API String ID: 2061451462-0
                                                • Opcode ID: 69e8bea10db9e9216c4f2acab4a6d7ce89e6ee82c3d147479ddb447c0d1feea4
                                                • Instruction ID: 4edbdd976355bd2fb0022d38f0bdba208af9610c77e73322d93b225f040836d3
                                                • Opcode Fuzzy Hash: 69e8bea10db9e9216c4f2acab4a6d7ce89e6ee82c3d147479ddb447c0d1feea4
                                                • Instruction Fuzzy Hash: E61122B4C046488FCB20DF9AD544BDEFBF8EB48324F00851AE818B7201D374A544CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 06AB72F8, Relevance: 7.6, APIs: 5, Instructions: 119keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyState.USER32(00000001), ref: 06AB7355
                                                • GetKeyState.USER32(00000002), ref: 06AB739A
                                                • GetKeyState.USER32(00000004), ref: 06AB73DF
                                                • GetKeyState.USER32(00000005), ref: 06AB7424
                                                • GetKeyState.USER32(00000006), ref: 06AB7469
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.494968335.0000000006AB0000.00000040.00000001.sdmp, Offset: 06AB0000, based on PE: false
                                                Similarity
                                                • API ID: State
                                                • String ID:
                                                • API String ID: 1649606143-0
                                                • Opcode ID: f457304c47b42553499ef972c0a7245c567e39601466493802545151f7194b96
                                                • Instruction ID: 26896265449a8e6effb8b49f7b8beec9d060ddd44115a5108a5a20c92d697bd3
                                                • Opcode Fuzzy Hash: f457304c47b42553499ef972c0a7245c567e39601466493802545151f7194b96
                                                • Instruction Fuzzy Hash: 9541B270D047458EDB22CFA9CA487EFBFF8AB45309F10848AD454B6281C3B9964DCBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A0E598, Relevance: .3, Instructions: 315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a2f261283bc3d705298b7066b8cf27269082342b54eb818044e335312f558b9
                                                • Instruction ID: 7a3a5fff44b3fe018932cccebedb4dd90f84ab24341ed70f1e008ec863a6a4da
                                                • Opcode Fuzzy Hash: 8a2f261283bc3d705298b7066b8cf27269082342b54eb818044e335312f558b9
                                                • Instruction Fuzzy Hash: 9E1283F1C11F468AD710CFB9ED9C2897BA1B7453A8B904309E2616BAF1D7B4114BEF84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00A0C154, Relevance: .3, Instructions: 265COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.488233804.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 439b5e82732cdd3166a36c77af8b2c94f1d9e05abf87a0d5856d11c018ab8dcb
                                                • Instruction ID: c8d7390e59c0997907b510075a39ed239661339eb02c1c2eec607cc6f46d1e3f
                                                • Opcode Fuzzy Hash: 439b5e82732cdd3166a36c77af8b2c94f1d9e05abf87a0d5856d11c018ab8dcb
                                                • Instruction Fuzzy Hash: 3CA17C32E002198FCF05DFF5D9445DEBBB2FF89300B15826AE905BB2A1EB31A945CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%