Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
solo.exe

Overview

General Information

Sample Name:solo.exe
Analysis ID:562281
MD5:509c2c9cf7e281ddde8289d7d9c1a14a
SHA1:f96470590239cf2b0581587a1237d420bfe8f456
SHA256:4601621cfda56bc05c74eb9e906d082fe613dedbdd07fcec0dc9ba02e3f37a00
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • solo.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\solo.exe" MD5: 509C2C9CF7E281DDDE8289D7D9C1A14A)
    • solo.exe (PID: 6456 cmdline: C:\Users\user\Desktop\solo.exe MD5: 509C2C9CF7E281DDDE8289D7D9C1A14A)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "az@gcmce.com", "Password": "n(aGI^pW6", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.312220337.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000C.00000000.312220337.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
          • 0x20cf:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time
          • 0x2bf1:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401
          • 0x1f64:$m4: %startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTruehttp
          • 0x21f0:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.0.solo.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            12.0.solo.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              12.0.solo.exe.400000.10.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x30d27:$s1: get_kbok
              • 0x3165b:$s2: get_CHoo
              • 0x322b6:$s3: set_passwordIsSet
              • 0x30b2b:$s4: get_enableLog
              • 0x351d3:$s8: torbrowser
              • 0x33baf:$s10: logins
              • 0x33527:$s11: credential
              • 0x2ff10:$g1: get_Clipboard
              • 0x2ff1e:$g2: get_Keyboard
              • 0x2ff2b:$g3: get_Password
              • 0x31509:$g4: get_CtrlKeyDown
              • 0x31519:$g5: get_ShiftKeyDown
              • 0x3152a:$g6: get_AltKeyDown
              2.2.solo.exe.4127bf0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.solo.exe.4127bf0.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  Click to see the 27 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 12.0.solo.exe.400000.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "az@gcmce.com", "Password": "n(aGI^pW6", "Host": "us2.smtp.mailhostbox.com"}
                  Machine Learning detection for sample
                  Source: solo.exeJoe Sandbox ML: detected
                  Source: 12.0.solo.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                  Source: 12.0.solo.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                  Source: 12.0.solo.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                  Source: 12.2.solo.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 12.0.solo.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                  Source: 12.0.solo.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                  Source: solo.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: solo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: ICustomFacto.pdb source: solo.exe
                  Source: solo.exe, 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: solo.exe, 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com
                  Source: solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com/
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: solo.exe, 00000002.00000002.315516689.0000000001617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comahE
                  Source: solo.exe, 00000002.00000002.315516689.0000000001617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: solo.exe, 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://znWMYc.com
                  Source: solo.exe, 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: solo.exe, 00000002.00000002.317663108.0000000004127000.00000004.00000800.00020000.00000000.sdmp, solo.exe, 0000000C.00000000.312220337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, solo.exe, 0000000C.00000000.309960497.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: solo.exe, 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: solo.exe, 00000002.00000002.314957977.00000000013BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 12.0.solo.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 2.2.solo.exe.4127bf0.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 12.2.solo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 12.0.solo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 12.0.solo.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 12.0.solo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 2.2.solo.exe.304d9bc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                  Source: 12.0.solo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 2.2.solo.exe.415de10.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 2.2.solo.exe.415de10.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 2.2.solo.exe.4127bf0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: Process Memory Space: solo.exe PID: 6456, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: solo.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: 12.0.solo.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 2.2.solo.exe.4127bf0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 12.2.solo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 12.0.solo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 12.0.solo.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 12.0.solo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 2.2.solo.exe.304d9bc.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                  Source: 12.0.solo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 2.2.solo.exe.415de10.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 2.2.solo.exe.415de10.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 2.2.solo.exe.4127bf0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: Process Memory Space: solo.exe PID: 6456, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: C:\Users\user\Desktop\solo.exeCode function: 2_2_015FA20F2_2_015FA20F
                  Source: C:\Users\user\Desktop\solo.exeCode function: 2_2_015F76C82_2_015F76C8
                  Source: C:\Users\user\Desktop\solo.exeCode function: 2_2_015F76B72_2_015F76B7
                  Source: C:\Users\user\Desktop\solo.exeCode function: 2_2_015F79182_2_015F7918
                  Source: C:\Users\user\Desktop\solo.exeCode function: 2_2_015F79092_2_015F7909
                  Source: C:\Users\user\Desktop\solo.exeCode function: 12_2_010146A012_2_010146A0
                  Source: C:\Users\user\Desktop\solo.exeCode function: 12_2_010145B012_2_010145B0
                  Source: C:\Users\user\Desktop\solo.exeProcess Stats: CPU usage > 98%
                  Source: solo.exe, 00000002.00000002.319385029.0000000007F90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs solo.exe
                  Source: solo.exe, 00000002.00000002.314957977.00000000013BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs solo.exe
                  Source: solo.exe, 00000002.00000000.254804202.0000000000C78000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameICustomFacto.exe4 vs solo.exe
                  Source: solo.exe, 00000002.00000002.317663108.0000000004127000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameyWNSFzUaTovTAbzAJvXKUHfXSGXvjvcALTDJlYT.exe4 vs solo.exe
                  Source: solo.exe, 00000002.00000002.317663108.0000000004127000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs solo.exe
                  Source: solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs solo.exe
                  Source: solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs solo.exe
                  Source: solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameyWNSFzUaTovTAbzAJvXKUHfXSGXvjvcALTDJlYT.exe4 vs solo.exe
                  Source: solo.exe, 0000000C.00000002.523845370.00000000006A8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameICustomFacto.exe4 vs solo.exe
                  Source: solo.exe, 0000000C.00000000.312220337.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameyWNSFzUaTovTAbzAJvXKUHfXSGXvjvcALTDJlYT.exe4 vs solo.exe
                  Source: solo.exeBinary or memory string: OriginalFilenameICustomFacto.exe4 vs solo.exe
                  Source: C:\Users\user\Desktop\solo.exeFile read: C:\Users\user\Desktop\solo.exe:Zone.IdentifierJump to behavior
                  Source: solo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\solo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\solo.exe "C:\Users\user\Desktop\solo.exe"
                  Source: C:\Users\user\Desktop\solo.exeProcess created: C:\Users\user\Desktop\solo.exe C:\Users\user\Desktop\solo.exe
                  Source: C:\Users\user\Desktop\solo.exeProcess created: C:\Users\user\Desktop\solo.exe C:\Users\user\Desktop\solo.exeJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\solo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\solo.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\solo.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
                  Source: C:\Users\user\Desktop\solo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeMutant created: \Sessions\1\BaseNamedObjects\RxYwXe
                  Source: solo.exe, pz/FO.csCryptographic APIs: 'CreateDecryptor'
                  Source: solo.exe, pz/FO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 2.0.solo.exe.ba0000.0.unpack, pz/FO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 2.0.solo.exe.ba0000.0.unpack, pz/FO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 2.2.solo.exe.ba0000.0.unpack, pz/FO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 2.2.solo.exe.ba0000.0.unpack, pz/FO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 12.0.solo.exe.5d0000.3.unpack, pz/FO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 12.0.solo.exe.5d0000.3.unpack, pz/FO.csCryptographic APIs: 'CreateDecryptor'
                  Source: C:\Users\user\Desktop\solo.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: solo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: solo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: solo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: ICustomFacto.pdb source: solo.exe

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: solo.exe, dD/eb.cs.Net Code: BkU System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 2.0.solo.exe.ba0000.0.unpack, dD/eb.cs.Net Code: BkU System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 2.2.solo.exe.ba0000.0.unpack, dD/eb.cs.Net Code: BkU System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 12.0.solo.exe.5d0000.3.unpack, dD/eb.cs.Net Code: BkU System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: solo.exe, pz/FO.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 2.0.solo.exe.ba0000.0.unpack, pz/FO.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 2.2.solo.exe.ba0000.0.unpack, pz/FO.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 12.0.solo.exe.5d0000.3.unpack, pz/FO.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: C:\Users\user\Desktop\solo.exeCode function: 2_2_015F1C58 push ebx; iretd 2_2_015F1C7A
                  Source: C:\Users\user\Desktop\solo.exeCode function: 2_2_05516500 push eax; ret 2_2_05516579
                  Source: C:\Users\user\Desktop\solo.exeCode function: 2_2_0551A40F pushfd ; iretd 2_2_0551A41A
                  Source: C:\Users\user\Desktop\solo.exeCode function: 2_2_0551A420 pushfd ; iretd 2_2_0551A53A
                  Source: C:\Users\user\Desktop\solo.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 2.2.solo.exe.304d9bc.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.315937803.000000000310B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: solo.exe PID: 7008, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: solo.exe, 00000002.00000002.315937803.000000000310B000.00000004.00000800.00020000.00000000.sdmp, solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: solo.exe, 00000002.00000002.315937803.000000000310B000.00000004.00000800.00020000.00000000.sdmp, solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\solo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\solo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\solo.exe TID: 7012Thread sleep time: -34537s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\solo.exe TID: 7052Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\solo.exe TID: 5624Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\solo.exe TID: 5712Thread sleep count: 3317 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\solo.exe TID: 5712Thread sleep count: 6534 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\solo.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\solo.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\solo.exeWindow / User API: threadDelayed 3317Jump to behavior
                  Source: C:\Users\user\Desktop\solo.exeWindow / User API: threadDelayed 6534Jump to behavior
                  Source: C:\Users\user\Desktop\solo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\solo.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeThread delayed: delay time: 34537Jump to behavior
                  Source: C:\Users\user\Desktop\solo.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\solo.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                  Source: solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\solo.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\solo.exeMemory written: C:\Users\user\Desktop\solo.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeProcess created: C:\Users\user\Desktop\solo.exe C:\Users\user\Desktop\solo.exeJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Users\user\Desktop\solo.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Users\user\Desktop\solo.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\solo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 12.0.solo.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.solo.exe.4127bf0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.solo.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.solo.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.solo.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.solo.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.solo.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.solo.exe.415de10.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.solo.exe.415de10.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.solo.exe.4127bf0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000000.312220337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.309960497.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.311021655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.522648388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.311547014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.317663108.0000000004127000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: solo.exe PID: 7008, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: solo.exe PID: 6456, type: MEMORYSTR
                  Source: Yara matchFile source: 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: solo.exe PID: 6456, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 12.0.solo.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.solo.exe.4127bf0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.solo.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.solo.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.solo.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.solo.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.solo.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.solo.exe.415de10.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.solo.exe.415de10.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.solo.exe.4127bf0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000000.312220337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.309960497.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.311021655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.522648388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.311547014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.317663108.0000000004127000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: solo.exe PID: 7008, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: solo.exe PID: 6456, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		Path Interception111
                  Process Injection                  		1
                  Masquerading                  		1
                  Input Capture                  		1
                  Query Registry                  		Remote Services1
                  Input Capture                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory211
                  Security Software Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection                  		NTDS131
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Obfuscated Files or Information                  		Cached Domain Credentials113
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items21
                  Software Packing                  		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  solo.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  12.0.solo.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                  12.0.solo.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                  12.0.solo.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                  12.2.solo.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  12.0.solo.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                  12.0.solo.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://blog.iandreev.com/0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://blog.iandreev.com0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.fontbureau.comahE0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.fontbureau.comgrito0%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://znWMYc.com0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1solo.exe, 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.apache.org/licenses/LICENSE-2.0solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://DynDns.comDynDNSsolo.exe, 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://blog.iandreev.com/solo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThesolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hasolo.exe, 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://blog.iandreev.comsolo.exe, 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designerssolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.goodfont.co.krsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cThesolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comahEsolo.exe, 00000002.00000002.315516689.0000000001617000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleasesolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8solo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comgritosolo.exe, 00000002.00000002.315516689.0000000001617000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org%GETMozilla/5.0solo.exe, 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		low
                                    http://www.fonts.comsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleasesolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://znWMYc.comsolo.exe, 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comsolo.exe, 00000002.00000002.319058662.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipsolo.exe, 00000002.00000002.317663108.0000000004127000.00000004.00000800.00020000.00000000.sdmp, solo.exe, 0000000C.00000000.312220337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, solo.exe, 0000000C.00000000.309960497.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                      Analysis ID:562281
                                      Start date:28.01.2022
                                      Start time:18:05:02
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 9m 42s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:solo.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:22
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@3/1@0/0
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:
                                      • Successful, ratio: 0.5% (good quality ratio 0.3%)
                                      • Quality average: 57.6%
                                      • Quality standard deviation: 38.4%
                                      HCA Information:
                                      • Successful, ratio: 99%
                                      • Number of executed functions: 37
                                      • Number of non-executed functions: 6
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 2.20.157.220
                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • VT rate limit hit for: solo.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      18:06:26API Interceptor320x Sleep call for process: solo.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\solo.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\solo.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.355304211458859
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                      MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                      SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                      SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                      SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):6.588130207468353
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:solo.exe
                                      File size:866816
                                      MD5:509c2c9cf7e281ddde8289d7d9c1a14a
                                      SHA1:f96470590239cf2b0581587a1237d420bfe8f456
                                      SHA256:4601621cfda56bc05c74eb9e906d082fe613dedbdd07fcec0dc9ba02e3f37a00
                                      SHA512:d9f14c9410395423bc8b4bc9f2acad6a7069eba710840fcda71215db3c4726766e5554dd596b0e8649b63fd3ee1331f9a1f50b23d16b0001979c07d67e259dba
                                      SSDEEP:12288:v/Ijio93SNNN1Bh/G3nR9dJ8ajaeQN22cKkOQNt:vweowfN1v/Gh9dBee+/k
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................,...........J... ...`....@.. ....................................@................................

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x4d4a2e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x61F3CEE2 [Fri Jan 28 11:09:22 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:v4.0.30319
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd49e00x4b.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x5b8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xd49930x1c.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xd2a340xd2c00False0.520091933571data6.59351500716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .sdata0xd60000x1e80x200False0.861328125data6.62287170117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .rsrc0xd80000x5b80x600False0.42578125data4.09755862721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xda0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_VERSION0xd80a00x32cdata
                                      RT_MANIFEST0xd83cc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Version Infos

                                      DescriptionData
                                      Translation0x0000 0x04b0
                                      LegalCopyrightCopyright 2016
                                      Assembly Version1.0.0.0
                                      InternalNameICustomFacto.exe
                                      FileVersion1.0.0.0
                                      CompanyName
                                      LegalTrademarks
                                      Comments
                                      ProductNameOthelloCS
                                      ProductVersion1.0.0.0
                                      FileDescriptionOthelloCS
                                      OriginalFilenameICustomFacto.exe

                                      Network Behavior

                                      No network behavior found

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:2
                                      Start time:18:06:03
                                      Start date:28/01/2022
                                      Path:C:\Users\user\Desktop\solo.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\solo.exe"
                                      Imagebase:0xba0000
                                      File size:866816 bytes
                                      MD5 hash:509C2C9CF7E281DDDE8289D7D9C1A14A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.315937803.000000000310B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.315797276.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.317663108.0000000004127000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.317663108.0000000004127000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:12
                                      Start time:18:06:28
                                      Start date:28/01/2022
                                      Path:C:\Users\user\Desktop\solo.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\solo.exe
                                      Imagebase:0x5d0000
                                      File size:866816 bytes
                                      MD5 hash:509C2C9CF7E281DDDE8289D7D9C1A14A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.312220337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.312220337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 0000000C.00000002.525058880.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.309960497.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.309960497.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.311021655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.311021655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.522648388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000002.522648388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.311547014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.311547014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:5.4%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:16
                                        Total number of Limit Nodes:3
                                        execution_graph 16627 15f40e8 16629 15f4104 16627->16629 16628 15f41aa 16629->16628 16631 15f4298 16629->16631 16632 15f42a2 16631->16632 16634 15f42f7 16631->16634 16637 15f4398 16632->16637 16641 15f4388 16632->16641 16634->16629 16639 15f43bf 16637->16639 16638 15f449c 16638->16638 16639->16638 16645 15f3e58 16639->16645 16643 15f43bf 16641->16643 16642 15f449c 16642->16642 16643->16642 16644 15f3e58 CreateActCtxA 16643->16644 16644->16642 16646 15f5428 CreateActCtxA 16645->16646 16648 15f54eb 16646->16648 16648->16648

                                        Executed Functions

                                        Function 015F541C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 15f541c-15f54e9 CreateActCtxA 2 15f54eb-15f54f1 0->2 3 15f54f2-15f554c 0->3 2->3 10 15f554e-15f5551 3->10 11 15f555b-15f555f 3->11 10->11 12 15f5561-15f556d 11->12 13 15f5570 11->13 12->13 14 15f5571 13->14 14->14
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 015F54D9
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.315436688.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_15f0000_solo.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 18461a3cb3d0b07766638cbcc7f442984aee0703beef7ef47b204971fdfb0a98
                                        • Instruction ID: 3cd6f33b5c3daa4d3e7d29e38fa9687eed9b918b6b71767af07e9747850f0128
                                        • Opcode Fuzzy Hash: 18461a3cb3d0b07766638cbcc7f442984aee0703beef7ef47b204971fdfb0a98
                                        • Instruction Fuzzy Hash: 824112B0C0061CCBDB24CFA9C8887DEBBB6BF49304F208469D449AB251D7755946CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 015F3E58 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 16 15f3e58-15f54e9 CreateActCtxA 19 15f54eb-15f54f1 16->19 20 15f54f2-15f554c 16->20 19->20 27 15f554e-15f5551 20->27 28 15f555b-15f555f 20->28 27->28 29 15f5561-15f556d 28->29 30 15f5570 28->30 29->30 31 15f5571 30->31 31->31
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 015F54D9
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.315436688.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_15f0000_solo.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: d0739385952331ca5008788d44d0dc06505477facd6604a49148e5f31b06b9ef
                                        • Instruction ID: 031f72d1e0b12179b16ca8bb83352a76ac9e12c67580810a594ad59723e24012
                                        • Opcode Fuzzy Hash: d0739385952331ca5008788d44d0dc06505477facd6604a49148e5f31b06b9ef
                                        • Instruction Fuzzy Hash: 6141C1B1D0061CCBDB24DFA9C888BDEBBB6BF48304F208469D519AB251EB756945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551BAB0 Relevance: .2, Instructions: 232COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 813 551bab0-551bd2d 839 551bf10-551bf16 813->839 840 551bd66-551bd6f 813->840 843 551bf18 839->843 844 551bf1f-551bf27 839->844 841 551bd71 840->841 842 551bd76-551bd93 840->842 841->842 849 551bd95 842->849 850 551bd9a-551bdb1 842->850 843->840 845 551bfe9-551bff2 843->845 844->839 844->845 846 551bff4 845->846 847 551bff9 845->847 846->847 851 551c002-551c016 847->851 849->850 855 551bdb3 850->855 856 551bdb8-551bdcf 850->856 852 551c018 851->852 853 551c01d-551c07d 851->853 852->853 853->839 855->856 860 551bdd1 856->860 861 551bdd6-551bdf3 856->861 860->861 864 551bdf5 861->864 865 551bdfa-551be17 861->865 864->865 869 551be19 865->869 870 551be1e-551be3b 865->870 869->870 872 551be42-551be5f 870->872 873 551be3d 870->873 875 551be61 872->875 876 551be66-551be83 872->876 873->872 875->876 878 551be85 876->878 879 551be8a-551bea4 876->879 878->879 881 551bea6 879->881 882 551beab-551bec5 879->882 881->882 884 551bec7 882->884 885 551becc-551beec 882->885 884->885 887 551bef3-551bf0a 885->887 888 551beee 885->888 887->839 888->887
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f94676d2da4d104152d649fe9b3058834ec311db51188818962e4a36eca94239
                                        • Instruction ID: 513333173f658b7022876f160fc251b7dace8ff4559eb5b308c1e7028ae76bd8
                                        • Opcode Fuzzy Hash: f94676d2da4d104152d649fe9b3058834ec311db51188818962e4a36eca94239
                                        • Instruction Fuzzy Hash: B6C11B74A01208CFD764EFA8D559A9CBBF6FF48315F0085AAE9099B261DF386C84CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551C082 Relevance: .2, Instructions: 183COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2438869233aeda7b5057c1f6e51def57dfa3ba34d6cce539530aa2e12e709bf9
                                        • Instruction ID: 4007ea70fb402e95d254323b06e65eda68087d884ecb60510e9a2bdecc958010
                                        • Opcode Fuzzy Hash: 2438869233aeda7b5057c1f6e51def57dfa3ba34d6cce539530aa2e12e709bf9
                                        • Instruction Fuzzy Hash: 4A915E74A01248CFE714DFA8D588A9DBFF5FB08715F04856AE8099B261DB38AC84CF46
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551BF29 Relevance: .2, Instructions: 174COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6478fc2d166fc231c468556e4d4dde80637e4fe402153c5ef09445ed344283e
                                        • Instruction ID: a8ee741fbe7659ae8f5dc4a566cdfcf6a6dd7261b6a3ec1bb8335afebd0163b4
                                        • Opcode Fuzzy Hash: d6478fc2d166fc231c468556e4d4dde80637e4fe402153c5ef09445ed344283e
                                        • Instruction Fuzzy Hash: EA913D74901148CFE764DFA8D548A8CBBF5FB48715F0485AAE8099B261DB38AC84CF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551B9EC Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c74089b9fc688a205324ea6215815da4d48263deeb6a2b04eca055299849faa
                                        • Instruction ID: 4de49203ea7bb3f46472e101f15fbf1abcfbfa06a4d1896a803f5c2dd68b047f
                                        • Opcode Fuzzy Hash: 0c74089b9fc688a205324ea6215815da4d48263deeb6a2b04eca055299849faa
                                        • Instruction Fuzzy Hash: B7714F74A01144CFE764DFA8D588A8DBFF5FB04715F44896AE8099B261DB38AC84CF46
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551A1F0 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bd5e0b494fe60aa4c0def1084702a15a81f3812352a3fcea4a31c3bef67c80d0
                                        • Instruction ID: 319051d1af841690c94dd106476eb02a00cee9644174f76acbd2291cc685b747
                                        • Opcode Fuzzy Hash: bd5e0b494fe60aa4c0def1084702a15a81f3812352a3fcea4a31c3bef67c80d0
                                        • Instruction Fuzzy Hash: F0317F32E0511A9BEF15DBE4D884BBEBBB2FB88310F018465DD257B280EB315D818BD5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551A1EB Relevance: .1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b40051fb713d01f84fc5ef5792cd1f47faa62af65e74f2922999f17afaf7753
                                        • Instruction ID: a4713551850487d1adedab18f07489080aa7546dfe4eaf1398d2806c12b2363f
                                        • Opcode Fuzzy Hash: 4b40051fb713d01f84fc5ef5792cd1f47faa62af65e74f2922999f17afaf7753
                                        • Instruction Fuzzy Hash: CA319032E0511A9BEF15DBE4D980BBEBBB2FB88310F018426DE257B244EB315D418BD5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551A6FC Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a244036540099a29ae1dfcd0195dd594afc6f4ad5ebf3621029c0e75b8370223
                                        • Instruction ID: 603491714a5ff8164ed2be2f5e90c31301b1a5bc7547b4ea88d90b9d6806ada1
                                        • Opcode Fuzzy Hash: a244036540099a29ae1dfcd0195dd594afc6f4ad5ebf3621029c0e75b8370223
                                        • Instruction Fuzzy Hash: DD21E235E051569FEB03EBB4C584A7EBFB3BB40310F0584A1DD099B211EA24DE418BDA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011ED508 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.314723748.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_11ed000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ffc1808d6df3d7f71c50aec7472e0e248244d94597bad115f184f962541eded1
                                        • Instruction ID: 1de3c787e3d6ddddf5ce30c6d0b09c63c43fe86bed21f1d44b04709dda95de58
                                        • Opcode Fuzzy Hash: ffc1808d6df3d7f71c50aec7472e0e248244d94597bad115f184f962541eded1
                                        • Instruction Fuzzy Hash: 59213675504640DFDF09CFD4E9C8B66BBB5FF88318F248969E8050B206C336D456C7A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551A7EB Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 31a348728ea3faa0291ea845ffc5abd96a0bd9729dfd843b3ac84bfbdd1ff9a9
                                        • Instruction ID: 36d9e94074387f3e30b97c4e65107eddda0e1b0666830c0d99712cdd52b09056
                                        • Opcode Fuzzy Hash: 31a348728ea3faa0291ea845ffc5abd96a0bd9729dfd843b3ac84bfbdd1ff9a9
                                        • Instruction Fuzzy Hash: CD217C75F051169FEB02EFA4C58897EBFB3BB84314F158461CD1AAB211EA30DE418BD9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FD01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.314751806.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_11fd000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cec5ddf04cadcdcfb29f249be8b9f26e85053c8a61e8b0ece747521c96379ea4
                                        • Instruction ID: 52e6c351ce35adbdc0c8c48061be149ee8095e4a94faca562a4f90a4996b4394
                                        • Opcode Fuzzy Hash: cec5ddf04cadcdcfb29f249be8b9f26e85053c8a61e8b0ece747521c96379ea4
                                        • Instruction Fuzzy Hash: 67212575504240DFDF19CF94E4C4B26BBA5FB84354F24C96DDA0A4B246C73AD847CA62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551A7B2 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d17eef958b5688ab481c0df9ec3483de0a3bc1ccddec1bc898b1def2ed8ffde2
                                        • Instruction ID: 6d3dc183ba7150ac8bc6304f091e7404baa6523068fbb9ba6612969802a105d7
                                        • Opcode Fuzzy Hash: d17eef958b5688ab481c0df9ec3483de0a3bc1ccddec1bc898b1def2ed8ffde2
                                        • Instruction Fuzzy Hash: 42218C35F051568FEB02EFA4C58897EBFB3BB44314F158461CD0AAB211EA30DE418BD9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011FD006 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.314751806.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_11fd000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd96113e79d531e96240cd08e51e31da1cc669752e3332883333a3d2de5ec2d4
                                        • Instruction ID: 9e9993341137ca7ac6a4826080dd14c66004a084396a70d4729b4b6085188675
                                        • Opcode Fuzzy Hash: dd96113e79d531e96240cd08e51e31da1cc669752e3332883333a3d2de5ec2d4
                                        • Instruction Fuzzy Hash: FE2180755093808FCB07CF24D594B15BF71EB46214F28C5EAD9498B657C33A980ACB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011ED503 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.314723748.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_11ed000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ba8ea9be974d9085370ee7f5f7012f4dff1d1c4487718bd0c34b0eb0e96bb7a
                                        • Instruction ID: 6c0d22f8ccef9204e45085a5e782df2228b3f737c400bc41513144b9c37e723a
                                        • Opcode Fuzzy Hash: 5ba8ea9be974d9085370ee7f5f7012f4dff1d1c4487718bd0c34b0eb0e96bb7a
                                        • Instruction Fuzzy Hash: 8F11B176504680DFCF16CF54E9C8B16BFB2FF84324F2486A9D8054B656C33AD45ACBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011ED7ED Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.314723748.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_11ed000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c9e922f20a8c5b07a019fdea41cbcf3685d92c442785d750980d3588b563d3e
                                        • Instruction ID: 2ec80fe89bb689cccc6820cccbc0afeb5fbda0978fed0f1ab737d4062e8c4194
                                        • Opcode Fuzzy Hash: 8c9e922f20a8c5b07a019fdea41cbcf3685d92c442785d750980d3588b563d3e
                                        • Instruction Fuzzy Hash: 8101D4714047449AEB284AD5ECC8BA7BBDCEF81664F08841AED4C5A246C7759844C6B2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 011ED7EC Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.314723748.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_11ed000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e502e5f1bb7aa68f28fb2f902f8adb4b18242659d216a0e9e6844b7391b30080
                                        • Instruction ID: 4dbbf05540370166320da129e2d5bc06117f1e9a3289f55e600817ded3fd197c
                                        • Opcode Fuzzy Hash: e502e5f1bb7aa68f28fb2f902f8adb4b18242659d216a0e9e6844b7391b30080
                                        • Instruction Fuzzy Hash: BDF0C2714047849EEB148A89DCC8B62FFD8EB81774F18C45EED4C5B286C379A844CAB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551C1B0 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9047bd159473846aa99275def1129d6f0a32f2bc23b11f4dc5a33bc087fcad43
                                        • Instruction ID: c3725737ac7e6bcdb38f4b2479c6bd0b87076072aefa3e3c3a898b47f0d49882
                                        • Opcode Fuzzy Hash: 9047bd159473846aa99275def1129d6f0a32f2bc23b11f4dc5a33bc087fcad43
                                        • Instruction Fuzzy Hash: 79F0D430E95608AFEB54DFA9944969DBFF9BB49604F0084AA9818E2200EB318E848A45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551C1A1 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f2e84b9a337c0e71bf12dec8bc40f8dade3a44b74b2a246b9085f14575a87c40
                                        • Instruction ID: eb73a1571ba1e8216d7a00e6e884b6b8f96626e198c710294c760ee7bfe345e9
                                        • Opcode Fuzzy Hash: f2e84b9a337c0e71bf12dec8bc40f8dade3a44b74b2a246b9085f14575a87c40
                                        • Instruction Fuzzy Hash: B6F0A0308D938A8FD752CBA8C4516D9BFB1BF03224B20019BDC24DA282EB324E45CB09
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551B940 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b7b20ca144a59c2eae93a63689674e75c26d82ef7e76ed104dc8c07657df80c
                                        • Instruction ID: d2c1e4957fe88b320e69e9f10ceedba550982503e53a3d3b56f9668bf822df81
                                        • Opcode Fuzzy Hash: 6b7b20ca144a59c2eae93a63689674e75c26d82ef7e76ed104dc8c07657df80c
                                        • Instruction Fuzzy Hash: FFC04C303C0704AFE354DA5ADD47F017B99AF45F14F654091F3089F6F1DAA1F8004548
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551A8BB Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3484a94681bab5f14a7a7708b1f0ccc7d990ba2de7aa2bdfaac5876c5874f947
                                        • Instruction ID: e9bc68d706a6746e9bbb51b31e331bb9ca591ffcee5a6992e4076460d4d0244b
                                        • Opcode Fuzzy Hash: 3484a94681bab5f14a7a7708b1f0ccc7d990ba2de7aa2bdfaac5876c5874f947
                                        • Instruction Fuzzy Hash: E5C08C37B143604B8B291BA0B20A09A3FA0CAA4066304085BF00ECA204CE768A004780
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551A6AB Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3d192ff19c46dfae7b97c64553cb9b1f54d5ab3dff1fcef86542f81e3d2c66f
                                        • Instruction ID: 13358187d355dca8302bd520327edf2d71bbf0d0a2a0f071675799a40e9185d7
                                        • Opcode Fuzzy Hash: c3d192ff19c46dfae7b97c64553cb9b1f54d5ab3dff1fcef86542f81e3d2c66f
                                        • Instruction Fuzzy Hash: 8BA002574D242401C609A5DCBF931D2B7546CA20AA34D4543F48C85711E611855080DC
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551A910 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
                                        • Instruction ID: 308734e347fe5fbfc39d01466d26648a0473cab39bdc6a53ba3d68073832f9aa
                                        • Opcode Fuzzy Hash: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
                                        • Instruction Fuzzy Hash: 93B01230240208CFC200DB5DD444C0033FCAF49A0434000D0F1098B731C721FC00CA40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551A6B0 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2dd0e2d78ede24ec856ece9a02d38c2482f84b2d6ea3ffb53f4ba9a5c21b0449
                                        • Instruction ID: fcf2bd823ffd50817e0e5638558531ecae1e0debbdb2b97a975972aed121cb2a
                                        • Opcode Fuzzy Hash: 2dd0e2d78ede24ec856ece9a02d38c2482f84b2d6ea3ffb53f4ba9a5c21b0449
                                        • Instruction Fuzzy Hash: E89004310F570CCF454437D5750F555FF5CD5F55557C00053F50D455015F55741455D5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0551A8A0 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.318843965.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_5510000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5df93386dc8576f42f0f270902f7a13835d529c993c9c72181028fb2afdc007a
                                        • Instruction ID: 693921784bba8ada79895df0f14d4a1724a1aae1b50ec2fdae0c839800450cca
                                        • Opcode Fuzzy Hash: 5df93386dc8576f42f0f270902f7a13835d529c993c9c72181028fb2afdc007a
                                        • Instruction Fuzzy Hash: 9E90223002020C8B820023C0380A0803F0C8008032B800002F00C000000F00A0080080
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 015FA20F Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.315436688.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_15f0000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: UUUU$iWhH
                                        • API String ID: 0-538678036
                                        • Opcode ID: 1f42fc334cd6ca413be1bed30ff6ef7c65072d30a28d564bedffd70bf2403ada
                                        • Instruction ID: d2a16fe0c16f6efe0025ff3d1a3fa71c157422c182bb5762968aba2c58d0ab54
                                        • Opcode Fuzzy Hash: 1f42fc334cd6ca413be1bed30ff6ef7c65072d30a28d564bedffd70bf2403ada
                                        • Instruction Fuzzy Hash: 1D516374E116288FEB64CFADC984B8DBBF2BF48314F1486A9D118E7246D7349A85CF01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 015F76B7 Relevance: .2, Instructions: 153COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.315436688.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_15f0000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a5ce8510647e794a1b3e1b0f76c6c7816147cea19bd142c35447fde1335f117f
                                        • Instruction ID: 22fbe1f657ac735b279fed4ab0558e3fb414defdb3cd904ad00d3c8ebe040e68
                                        • Opcode Fuzzy Hash: a5ce8510647e794a1b3e1b0f76c6c7816147cea19bd142c35447fde1335f117f
                                        • Instruction Fuzzy Hash: C3515E70A05609CFDB59EFB9E44469EBBF3FB89308F04883DC014AB674DB7499468B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 015F76C8 Relevance: .1, Instructions: 141COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.315436688.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_15f0000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd11f2c9e79b6759f4c06ec16c4c24a607819266851ef7f2738ad3ce77e4ed5c
                                        • Instruction ID: 95dec83a84d29631dbf65f25ddbc9d90b7d26ee3e6a16c21207de1de8fdd4097
                                        • Opcode Fuzzy Hash: dd11f2c9e79b6759f4c06ec16c4c24a607819266851ef7f2738ad3ce77e4ed5c
                                        • Instruction Fuzzy Hash: EF512E70A01609CFDB59EFB9E44469EBBF3BB88308F04C93DC014AB664DB7499458B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 015F7909 Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.315436688.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_15f0000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 797fc1c1c0076c0ae41ba4e73e455e58ee3b894cb0a2d9c18c0cb914f15191e7
                                        • Instruction ID: f5b8800185aab5d7dd52eab99631a643fbc6a5ec5a9897c3e11274151955898a
                                        • Opcode Fuzzy Hash: 797fc1c1c0076c0ae41ba4e73e455e58ee3b894cb0a2d9c18c0cb914f15191e7
                                        • Instruction Fuzzy Hash: 77517C71E016188BEB68CF6B8D4479EFAF7AFC9210F14C1BAC50CAA255DB704A85CF11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 015F7918 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.315436688.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_15f0000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7b8afd98b3550b16623a3d06db903eaae3511fa64bc3fcc144aa9fc6dcc9a50
                                        • Instruction ID: 525eafc5232f3af8a4851e7b9c3fb13aeed2b3f7c9a93a4d71f36540b4c9948f
                                        • Opcode Fuzzy Hash: d7b8afd98b3550b16623a3d06db903eaae3511fa64bc3fcc144aa9fc6dcc9a50
                                        • Instruction Fuzzy Hash: 5A410371E016188BEB6CDF6B9D4478AFAF7BFC9210F14C1FA890CAA255DB3409858F15
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:12.4%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:81
                                        Total number of Limit Nodes:5
                                        execution_graph 12573 1016940 GetCurrentProcess 12574 10169b3 12573->12574 12575 10169ba GetCurrentThread 12573->12575 12574->12575 12576 10169f0 12575->12576 12577 10169f7 GetCurrentProcess 12575->12577 12576->12577 12578 1016a2d 12577->12578 12579 1016a55 GetCurrentThreadId 12578->12579 12580 1016a86 12579->12580 12627 1015090 12628 10150f8 CreateWindowExW 12627->12628 12630 10151b4 12628->12630 12630->12630 12631 101b6f0 12632 101b704 12631->12632 12635 101b93a 12632->12635 12633 101b70d 12636 101b943 12635->12636 12641 101bb1c 12635->12641 12645 101bb36 12635->12645 12649 101ba20 12635->12649 12653 101ba11 12635->12653 12636->12633 12642 101bacf 12641->12642 12642->12641 12643 101bb5b 12642->12643 12657 101be17 12642->12657 12646 101bb49 12645->12646 12647 101bb5b 12645->12647 12648 101be17 2 API calls 12646->12648 12648->12647 12650 101ba64 12649->12650 12651 101bb5b 12650->12651 12652 101be17 2 API calls 12650->12652 12652->12651 12654 101ba64 12653->12654 12655 101bb5b 12654->12655 12656 101be17 2 API calls 12654->12656 12656->12655 12658 101be36 12657->12658 12662 101be68 12658->12662 12666 101be78 12658->12666 12659 101be46 12659->12643 12665 101beb2 12662->12665 12663 101bedc RtlEncodePointer 12664 101bf05 12663->12664 12664->12659 12665->12663 12665->12664 12667 101beb2 12666->12667 12668 101bedc RtlEncodePointer 12667->12668 12669 101bf05 12667->12669 12668->12669 12669->12659 12581 1016b68 DuplicateHandle 12582 1016bfe 12581->12582 12583 f7d01c 12584 f7d034 12583->12584 12585 f7d08e 12584->12585 12590 1017b80 12584->12590 12598 101359c 12584->12598 12606 1015248 12584->12606 12610 1015238 12584->12610 12591 1017bbd 12590->12591 12592 1017bf1 12591->12592 12594 1017be1 12591->12594 12623 101779c 12592->12623 12614 1017d08 12594->12614 12619 1017d18 12594->12619 12595 1017bef 12599 10135a7 12598->12599 12600 1017bf1 12599->12600 12603 1017be1 12599->12603 12601 101779c CallWindowProcW 12600->12601 12602 1017bef 12601->12602 12604 1017d08 CallWindowProcW 12603->12604 12605 1017d18 CallWindowProcW 12603->12605 12604->12602 12605->12602 12607 101526e 12606->12607 12608 101359c CallWindowProcW 12607->12608 12609 101528f 12608->12609 12609->12585 12611 101526e 12610->12611 12612 101359c CallWindowProcW 12611->12612 12613 101528f 12612->12613 12613->12585 12616 1017d0d 12614->12616 12615 1017cc8 12615->12595 12616->12615 12617 101779c CallWindowProcW 12616->12617 12618 1017e0f 12616->12618 12617->12616 12618->12595 12620 1017d26 12619->12620 12621 101779c CallWindowProcW 12620->12621 12622 1017e0f 12620->12622 12621->12620 12622->12595 12624 10177a7 12623->12624 12625 1017eda CallWindowProcW 12624->12625 12626 1017e89 12624->12626 12625->12626 12626->12595

                                        Executed Functions

                                        Function 01016940 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 010169A0
                                        • GetCurrentThread.KERNEL32 ref: 010169DD
                                        • GetCurrentProcess.KERNEL32 ref: 01016A1A
                                        • GetCurrentThreadId.KERNEL32 ref: 01016A73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524543051.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_1010000_solo.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID: 3e
                                        • API String ID: 2063062207-1497408187
                                        • Opcode ID: 616f2ba08d21aa3a27562755714b57a349d587b3705b9dfc062f6e286ee75920
                                        • Instruction ID: b52caf3933e182454c7878aa364da21dde6758573ab52775dc28f6c539f880d3
                                        • Opcode Fuzzy Hash: 616f2ba08d21aa3a27562755714b57a349d587b3705b9dfc062f6e286ee75920
                                        • Instruction Fuzzy Hash: C45144B89003489FDB14CFAAD948BDEBBF6AF88304F208499E549A7350D7796844CF65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01015084 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 20 1015084-10150f6 22 1015101-1015108 20->22 23 10150f8-10150fe 20->23 24 1015113-101514b 22->24 25 101510a-1015110 22->25 23->22 26 1015153-10151b2 CreateWindowExW 24->26 25->24 27 10151b4-10151ba 26->27 28 10151bb-10151f3 26->28 27->28 32 1015200 28->32 33 10151f5-10151f8 28->33 34 1015201 32->34 33->32 34->34
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010151A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524543051.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_1010000_solo.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID: 3e$3e
                                        • API String ID: 716092398-1218783268
                                        • Opcode ID: 594db50f67ca134dd9a8632c958a867bca88cb75c59725a789625ed7905c7463
                                        • Instruction ID: c3af95b87ca561de7af64e5a24ae0d685817e701d890d8cf205a5e4f5fc92047
                                        • Opcode Fuzzy Hash: 594db50f67ca134dd9a8632c958a867bca88cb75c59725a789625ed7905c7463
                                        • Instruction Fuzzy Hash: DC51E0B1D003089FDF15CF99C884ADEBBB5BF88314F64812AE819AB214D7749845CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01015090 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 35 1015090-10150f6 36 1015101-1015108 35->36 37 10150f8-10150fe 35->37 38 1015113-10151b2 CreateWindowExW 36->38 39 101510a-1015110 36->39 37->36 41 10151b4-10151ba 38->41 42 10151bb-10151f3 38->42 39->38 41->42 46 1015200 42->46 47 10151f5-10151f8 42->47 48 1015201 46->48 47->46 48->48
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010151A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524543051.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_1010000_solo.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID: 3e$3e
                                        • API String ID: 716092398-1218783268
                                        • Opcode ID: 81d6638510226c7afa78fc6b6c61cc089b0881d1c9477ff61eea17cf43b4db8b
                                        • Instruction ID: 460c222b0159e5a0b3efdc0f35578e88917fa6ce2bfb8a59ec8e6d53fd1fbd7e
                                        • Opcode Fuzzy Hash: 81d6638510226c7afa78fc6b6c61cc089b0881d1c9477ff61eea17cf43b4db8b
                                        • Instruction Fuzzy Hash: FE41CFB1D003489FDF15CF99C884ADEBBB5FF88314F64852AE919AB214D7749885CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0101BE68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 49 101be68-101bea9 61 101beac call 101bf40 49->61 62 101beac call 101bf50 49->62 50 101beb2-101beba 52 101bec0 50->52 53 101bebc-101bebe 50->53 54 101bec5-101bed0 52->54 53->54 55 101bf31-101bf3e 54->55 56 101bed2-101bf03 RtlEncodePointer 54->56 58 101bf05-101bf0b 56->58 59 101bf0c-101bf2c 56->59 58->59 59->55 61->50 62->50
                                        APIs
                                        • RtlEncodePointer.NTDLL(00000000), ref: 0101BEF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524543051.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_1010000_solo.jbxd
                                        Similarity
                                        • API ID: EncodePointer
                                        • String ID: 3e$W
                                        • API String ID: 2118026453-2060966905
                                        • Opcode ID: 07fa91b39ddf9706f913bcb615cbf06d7cdf5d20a5679ce920f5405b9687afde
                                        • Instruction ID: 92e717cb5d6735542811a1e434465a6ba73cc46ef24d863f8854c68cf8629001
                                        • Opcode Fuzzy Hash: 07fa91b39ddf9706f913bcb615cbf06d7cdf5d20a5679ce920f5405b9687afde
                                        • Instruction Fuzzy Hash: E721A7B59053898FDF10DFAAC4483DEBBF0EB09314F14886AC484A2246C73A6109CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0101779C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 186 101779c-1017e7c 189 1017e82-1017e87 186->189 190 1017f2c-1017f4c call 101359c 186->190 192 1017e89-1017ec0 189->192 193 1017eda-1017f12 CallWindowProcW 189->193 198 1017f4f-1017f5c 190->198 199 1017ec2-1017ec8 192->199 200 1017ec9-1017ed8 192->200 194 1017f14-1017f1a 193->194 195 1017f1b-1017f2a 193->195 194->195 195->198 199->200 200->198
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 01017F01
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524543051.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_1010000_solo.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID: 3e
                                        • API String ID: 2714655100-1497408187
                                        • Opcode ID: 3aff1d0ad11d4a4928555e8de23d2c2fa144d8071d1dd5a49bdacc572bfbb7b8
                                        • Instruction ID: a3b95a6ed2aecae915c6508285ee5096be476ec533e40f6193f755d5db2135e1
                                        • Opcode Fuzzy Hash: 3aff1d0ad11d4a4928555e8de23d2c2fa144d8071d1dd5a49bdacc572bfbb7b8
                                        • Instruction Fuzzy Hash: A2413DB9900309CFDB15CF99C448A9BBBF5FF88314F148899E559A7315D774A841CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01016B63 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 203 1016b63-1016bfc DuplicateHandle 204 1016c05-1016c22 203->204 205 1016bfe-1016c04 203->205 205->204
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01016BEF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524543051.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_1010000_solo.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID: 3e
                                        • API String ID: 3793708945-1497408187
                                        • Opcode ID: 1259cc8dbbb3c7817880523b3ba7da4242af39e62f60678ece910553055cb349
                                        • Instruction ID: 585ce31011d8d55c50a17018985e1f52a904f7b50bbb664004eb033be1426953
                                        • Opcode Fuzzy Hash: 1259cc8dbbb3c7817880523b3ba7da4242af39e62f60678ece910553055cb349
                                        • Instruction Fuzzy Hash: 7B2114B5D002489FDB10CFA9D884AEEBFF5FB48320F14842AE954A3310D378A954CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01016B68 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 208 1016b68-1016bfc DuplicateHandle 209 1016c05-1016c22 208->209 210 1016bfe-1016c04 208->210 210->209
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01016BEF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524543051.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_1010000_solo.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID: 3e
                                        • API String ID: 3793708945-1497408187
                                        • Opcode ID: 2c5be16576b7788fa03a7ec41d0848a8a69019ba1a0c1673e223b8002f37b398
                                        • Instruction ID: a533451f0c30215257364fd10fd9d85d6aed9d791d1c8e8cdbe2f7d431454aad
                                        • Opcode Fuzzy Hash: 2c5be16576b7788fa03a7ec41d0848a8a69019ba1a0c1673e223b8002f37b398
                                        • Instruction Fuzzy Hash: 6421F5B5D00248AFDB10CF99D984ADEFBF9FB48320F14841AE955A3310D379A954CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0101BE78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 213 101be78-101bea9 214 101beb2-101beba 213->214 225 101beac call 101bf40 213->225 226 101beac call 101bf50 213->226 216 101bec0 214->216 217 101bebc-101bebe 214->217 218 101bec5-101bed0 216->218 217->218 219 101bf31-101bf3e 218->219 220 101bed2-101bf03 RtlEncodePointer 218->220 222 101bf05-101bf0b 220->222 223 101bf0c-101bf2c 220->223 222->223 223->219 225->214 226->214
                                        APIs
                                        • RtlEncodePointer.NTDLL(00000000), ref: 0101BEF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524543051.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_1010000_solo.jbxd
                                        Similarity
                                        • API ID: EncodePointer
                                        • String ID: 3e
                                        • API String ID: 2118026453-1497408187
                                        • Opcode ID: 6cfdf308b64311e65b3bc874ad4d22b114390707bb5d58d215553fe1e97988d3
                                        • Instruction ID: 8eb480b454b05c12c360fcc2043926d1a9b303e5dbe2d51c3ccdbcca1a5098a6
                                        • Opcode Fuzzy Hash: 6cfdf308b64311e65b3bc874ad4d22b114390707bb5d58d215553fe1e97988d3
                                        • Instruction Fuzzy Hash: C01186B59013088FDF60DFAAC44879EBBF4FB08314F24882ED545A3245CB79A545CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F6D53C Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524338641.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_f6d000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c534e6fb4da68bc56c3e1e6eb27ed8e5d7929cbdd8b1d5d19ed3509d5cbac54
                                        • Instruction ID: 0cd3fb4de7b038d12e3c8b5d15a56e1048438e98ae9cf559c7a8f71e6020a3e3
                                        • Opcode Fuzzy Hash: 7c534e6fb4da68bc56c3e1e6eb27ed8e5d7929cbdd8b1d5d19ed3509d5cbac54
                                        • Instruction Fuzzy Hash: 302136B6A04244DFCB01DF10D9C0F66BF65FB84328F288569E8064B646C336DC56EAA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F7D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524395510.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_f7d000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 332448c33e3ba7dfcceecb4b070e0d67bc38f5d8e6ad868ba90190df0c9e23ee
                                        • Instruction ID: 7b74bd86f3d6d1f647d8483d904b2381d3aaa13f762966218b198197f1544b8e
                                        • Opcode Fuzzy Hash: 332448c33e3ba7dfcceecb4b070e0d67bc38f5d8e6ad868ba90190df0c9e23ee
                                        • Instruction Fuzzy Hash: BA212275504240DFCB14CF20D8C4B26BBB5FF84328F64C96ED80E4B24AC33AD846DA62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F7D005 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524395510.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_f7d000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 352a3303701899315f8d2189a27fb52b9b7ee57ec964295e3539e4944214fd36
                                        • Instruction ID: beb5626b62942b2e5c3e297356554b83e84f11eaea5809b45725a454e9516b94
                                        • Opcode Fuzzy Hash: 352a3303701899315f8d2189a27fb52b9b7ee57ec964295e3539e4944214fd36
                                        • Instruction Fuzzy Hash: FE214F755093C08FCB12CF24D994B15BF71EF46224F28C5EBD8498B697C33A985ACB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F6D537 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524338641.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_f6d000_solo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ba8ea9be974d9085370ee7f5f7012f4dff1d1c4487718bd0c34b0eb0e96bb7a
                                        • Instruction ID: e64e1307b7b401f7968c638329701d2a2106aa44c2a9197b97133db80607ac27
                                        • Opcode Fuzzy Hash: 5ba8ea9be974d9085370ee7f5f7012f4dff1d1c4487718bd0c34b0eb0e96bb7a
                                        • Instruction Fuzzy Hash: 8E110B76904280CFCF11CF10D5C4B16BF71FB94324F28C6A9D8094B656C336D85ADB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 0101C117 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlEncodePointer.NTDLL(00000000), ref: 0101C19D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.524543051.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_1010000_solo.jbxd
                                        Similarity
                                        • API ID: EncodePointer
                                        • String ID: 3e$W
                                        • API String ID: 2118026453-2060966905
                                        • Opcode ID: f8d34be0eca758360be49b97a813291fbebacfb9114747f28a9b7c2f81b0c1ca
                                        • Instruction ID: d786dcc62f350e164ae5fb0954ec296146c7e456d036c99c16b8232248641b7c
                                        • Opcode Fuzzy Hash: f8d34be0eca758360be49b97a813291fbebacfb9114747f28a9b7c2f81b0c1ca
                                        • Instruction Fuzzy Hash: 9C21B8B8C803498FEB10DFA8D9843DABBF0EB19388F14481AC444E3289C37D95498FA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%