Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DBelhwqpBHYlUyo.exe

Overview

General Information

Sample Name:DBelhwqpBHYlUyo.exe
Analysis ID:562353
MD5:f865e3cf5f30296353766b374e774261
SHA1:77157d4d36906f6a8e692ad8f0f4fd1c5e65d0ec
SHA256:7ba7b04efd4019c0331f9d2efd8353c641c0d1393d6743cfa3d6d401649232ff
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • DBelhwqpBHYlUyo.exe (PID: 3892 cmdline: "C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe" MD5: F865E3CF5F30296353766B374E774261)
    • DBelhwqpBHYlUyo.exe (PID: 1880 cmdline: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe MD5: F865E3CF5F30296353766B374E774261)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "pablo@crealuz.es", "Password": "Pu10?as1", "Host": "mail.crealuz.es"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.335009031.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000000.335009031.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000008.00000000.335724383.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x2ee55:$s1: get_kbok
                • 0x2f798:$s2: get_CHoo
                • 0x303d2:$s3: set_passwordIsSet
                • 0x2ec59:$s4: get_enableLog
                • 0x31a0f:$s5: bot%telegramapi%
                • 0x33312:$s8: torbrowser
                • 0x31a32:$s9: %chatid%
                • 0x31cf5:$s10: logins
                • 0x31615:$s11: credential
                • 0x2e066:$g1: get_Clipboard
                • 0x2e074:$g2: get_Keyboard
                • 0x2e081:$g3: get_Password
                • 0x2f637:$g4: get_CtrlKeyDown
                • 0x2f647:$g5: get_ShiftKeyDown
                • 0x2f658:$g6: get_AltKeyDown
                8.0.DBelhwqpBHYlUyo.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.0.DBelhwqpBHYlUyo.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 29 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "pablo@crealuz.es", "Password": "Pu10?as1", "Host": "mail.crealuz.es"}
                    Multi AV Scanner detection for submitted file
                    Source: DBelhwqpBHYlUyo.exeVirustotal: Detection: 39%Perma Link
                    Machine Learning detection for sample
                    Source: DBelhwqpBHYlUyo.exeJoe Sandbox ML: detected
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.2.DBelhwqpBHYlUyo.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: DBelhwqpBHYlUyo.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: DBelhwqpBHYlUyo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: CharTypeIn.pdb source: DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com/
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.578014039.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crealuz.es
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.crealuz.es
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.577920507.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577860032.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577869990.00000000034BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pWbdf0oaMVq.org
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.578014039.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/06
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.578014039.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rqpakr.com
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000003.290132339.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000000.00000003.293709440.0000000000D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.578014039.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.578014039.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340782843.0000000003639000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000000.335009031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340782843.0000000003639000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000000.335009031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownDNS traffic detected: queries for: mail.crealuz.es

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DBelhwqpBHYlUyo.exe.267d994.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DBelhwqpBHYlUyo.exe.36938c8.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.2.DBelhwqpBHYlUyo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DBelhwqpBHYlUyo.exe.26fd268.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    Source: 0.2.DBelhwqpBHYlUyo.exe.36938c8.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 1880, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b948FCBE9u002dD640u002d40E1u002d9962u002d6514F106D02Bu007d/u00372686AA0u002dE84Fu002d4284u002d85E1u002d56533E68DBF8.csLarge array initialization: .cctor: array initializer size 12002
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b948FCBE9u002dD640u002d40E1u002d9962u002d6514F106D02Bu007d/u00372686AA0u002dE84Fu002d4284u002d85E1u002d56533E68DBF8.csLarge array initialization: .cctor: array initializer size 12002
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b948FCBE9u002dD640u002d40E1u002d9962u002d6514F106D02Bu007d/u00372686AA0u002dE84Fu002d4284u002d85E1u002d56533E68DBF8.csLarge array initialization: .cctor: array initializer size 12002
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b948FCBE9u002dD640u002d40E1u002d9962u002d6514F106D02Bu007d/u00372686AA0u002dE84Fu002d4284u002d85E1u002d56533E68DBF8.csLarge array initialization: .cctor: array initializer size 12002
                    Source: DBelhwqpBHYlUyo.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DBelhwqpBHYlUyo.exe.267d994.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DBelhwqpBHYlUyo.exe.36938c8.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.2.DBelhwqpBHYlUyo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DBelhwqpBHYlUyo.exe.26fd268.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: 0.2.DBelhwqpBHYlUyo.exe.36938c8.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 1880, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeCode function: 0_2_00B072B80_2_00B072B8
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeCode function: 0_2_00B072AF0_2_00B072AF
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeCode function: 0_2_00B074F70_2_00B074F7
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeCode function: 0_2_00B099390_2_00B09939
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeCode function: 8_2_030147A08_2_030147A0
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeCode function: 8_2_030147738_2_03014773
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeCode function: 8_2_030147908_2_03014790
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeCode function: 8_2_030146B08_2_030146B0
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340270332.000000000268C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCharTypeIn.exe4 vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340270332.000000000268C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340270332.000000000268C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000000.281611638.00000000002F6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCharTypeIn.exe4 vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340782843.0000000003639000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegaUITcpBUdDqUoBDyQffArMwzTnQCYuykS.exe4 vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340782843.0000000003639000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340392025.00000000026E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegaUITcpBUdDqUoBDyQffArMwzTnQCYuykS.exe4 vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.345110452.0000000007670000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000000.333455914.0000000000EF6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCharTypeIn.exe4 vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exe, 00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegaUITcpBUdDqUoBDyQffArMwzTnQCYuykS.exe4 vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exeBinary or memory string: OriginalFilenameCharTypeIn.exe4 vs DBelhwqpBHYlUyo.exe
                    Source: DBelhwqpBHYlUyo.exeVirustotal: Detection: 39%
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeFile read: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe:Zone.IdentifierJump to behavior
                    Source: DBelhwqpBHYlUyo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe "C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe"
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess created: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess created: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DBelhwqpBHYlUyo.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@3/0
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: DBelhwqpBHYlUyo.exe, gz/AR.csCryptographic APIs: 'CreateDecryptor'
                    Source: DBelhwqpBHYlUyo.exe, gz/AR.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.DBelhwqpBHYlUyo.exe.220000.0.unpack, gz/AR.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.DBelhwqpBHYlUyo.exe.220000.0.unpack, gz/AR.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.DBelhwqpBHYlUyo.exe.220000.0.unpack, gz/AR.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.DBelhwqpBHYlUyo.exe.220000.0.unpack, gz/AR.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.0.unpack, gz/AR.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.0.unpack, gz/AR.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.DBelhwqpBHYlUyo.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: DBelhwqpBHYlUyo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: DBelhwqpBHYlUyo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: DBelhwqpBHYlUyo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: CharTypeIn.pdb source: DBelhwqpBHYlUyo.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: DBelhwqpBHYlUyo.exe, eA/xG.cs.Net Code: HPv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 0.2.DBelhwqpBHYlUyo.exe.220000.0.unpack, eA/xG.cs.Net Code: HPv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 0.0.DBelhwqpBHYlUyo.exe.220000.0.unpack, eA/xG.cs.Net Code: HPv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.0.unpack, eA/xG.cs.Net Code: HPv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.9.unpack, eA/xG.cs.Net Code: HPv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.5.unpack, eA/xG.cs.Net Code: HPv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.13.unpack, eA/xG.cs.Net Code: HPv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.2.unpack, eA/xG.cs.Net Code: HPv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 8.2.DBelhwqpBHYlUyo.exe.e20000.1.unpack, eA/xG.cs.Net Code: HPv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.3.unpack, eA/xG.cs.Net Code: HPv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: DBelhwqpBHYlUyo.exe, gz/AR.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 0.2.DBelhwqpBHYlUyo.exe.220000.0.unpack, gz/AR.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 0.0.DBelhwqpBHYlUyo.exe.220000.0.unpack, gz/AR.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.0.unpack, gz/AR.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.9.unpack, gz/AR.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.5.unpack, gz/AR.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.13.unpack, gz/AR.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.2.unpack, gz/AR.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.2.DBelhwqpBHYlUyo.exe.e20000.1.unpack, gz/AR.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.DBelhwqpBHYlUyo.exe.e20000.3.unpack, gz/AR.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeCode function: 8_2_0301D919 push FFFFFF8Bh; iretd 8_2_0301D91B
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 0.2.DBelhwqpBHYlUyo.exe.267d994.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DBelhwqpBHYlUyo.exe.26fd268.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.340392025.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 3892, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340392025.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340392025.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe TID: 4072Thread sleep time: -39050s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe TID: 5044Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe TID: 1864Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe TID: 5520Thread sleep count: 7288 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe TID: 5520Thread sleep count: 2550 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeWindow / User API: threadDelayed 7288Jump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeWindow / User API: threadDelayed 2550Jump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeThread delayed: delay time: 39050Jump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeMemory written: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeProcess created: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DBelhwqpBHYlUyo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 3892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 1880, type: MEMORYSTR
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.DBelhwqpBHYlUyo.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.DBelhwqpBHYlUyo.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.DBelhwqpBHYlUyo.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.DBelhwqpBHYlUyo.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.DBelhwqpBHYlUyo.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DBelhwqpBHYlUyo.exe.36938c8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.DBelhwqpBHYlUyo.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DBelhwqpBHYlUyo.exe.36938c8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.335009031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.335724383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.337726031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.336357298.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.340782843.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 3892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 1880, type: MEMORYSTR
                    Source: Yara matchFile source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 1880, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 3892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 1880, type: MEMORYSTR
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.DBelhwqpBHYlUyo.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.DBelhwqpBHYlUyo.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.DBelhwqpBHYlUyo.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.DBelhwqpBHYlUyo.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.DBelhwqpBHYlUyo.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DBelhwqpBHYlUyo.exe.36938c8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.DBelhwqpBHYlUyo.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DBelhwqpBHYlUyo.exe.36938c8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DBelhwqpBHYlUyo.exe.36c96e8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.335009031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.335724383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.337726031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.336357298.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.340782843.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 3892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DBelhwqpBHYlUyo.exe PID: 1880, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception111
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping211
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                    Non-Application Layer Protocol                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		Security Account Manager131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets113
                    System Information Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Obfuscated Files or Information                    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items21
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DBelhwqpBHYlUyo.exe39%VirustotalBrowse
                    DBelhwqpBHYlUyo.exe17%MetadefenderBrowse
                    DBelhwqpBHYlUyo.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    8.0.DBelhwqpBHYlUyo.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.DBelhwqpBHYlUyo.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.DBelhwqpBHYlUyo.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.DBelhwqpBHYlUyo.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.DBelhwqpBHYlUyo.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    8.2.DBelhwqpBHYlUyo.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    crealuz.es0%VirustotalBrowse
                    x1.i.lencr.org1%VirustotalBrowse
                    mail.crealuz.es1%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://blog.iandreev.com/0%Avira URL Cloudsafe
                    http://pWbdf0oaMVq.org0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    http://crealuz.es0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://rqpakr.com0%Avira URL Cloudsafe
                    http://blog.iandreev.com0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://mail.crealuz.es0%Avira URL Cloudsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://r3.i.lencr.org/060%Avira URL Cloudsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://www.fonts.comn0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    crealuz.es
                    		185.101.224.222
                    		truetrueunknown
                    x1.i.lencr.org
                    		unknown
                    		unknownfalseunknown
                    mail.crealuz.es
                    		unknown
                    		unknowntrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1DBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.apache.org/licenses/LICENSE-2.0DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://DynDns.comDynDNSDBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://blog.iandreev.com/DBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pWbdf0oaMVq.orgDBelhwqpBHYlUyo.exe, 00000008.00000002.577920507.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577860032.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577869990.00000000034BA000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://cps.letsencrypt.org0DBelhwqpBHYlUyo.exe, 00000008.00000002.578014039.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crealuz.esDBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haDBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://rqpakr.comDBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://blog.iandreev.comDBelhwqpBHYlUyo.exe, 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://mail.crealuz.esDBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.goodfont.co.krDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.orgGETMozilla/5.0DBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000000.00000003.293709440.0000000000D5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot%telegramapi%/DBelhwqpBHYlUyo.exe, 00000000.00000002.340782843.0000000003639000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000000.335009031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                      		high
                                      http://x1.c.lencr.org/0DBelhwqpBHYlUyo.exe, 00000008.00000002.578014039.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://x1.i.lencr.org/0DBelhwqpBHYlUyo.exe, 00000008.00000002.578014039.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://r3.i.lencr.org/06DBelhwqpBHYlUyo.exe, 00000008.00000002.578014039.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://r3.o.lencr.org0DBelhwqpBHYlUyo.exe, 00000008.00000002.578014039.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.577879749.00000000034C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fonts.comnDBelhwqpBHYlUyo.exe, 00000000.00000003.290132339.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8DBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fonts.comDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comDBelhwqpBHYlUyo.exe, 00000000.00000002.344161494.0000000006802000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xDBelhwqpBHYlUyo.exe, 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDBelhwqpBHYlUyo.exe, 00000000.00000002.340782843.0000000003639000.00000004.00000800.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000000.335009031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DBelhwqpBHYlUyo.exe, 00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            No contacted IP infos

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:562353
                                            Start date:28.01.2022
                                            Start time:19:58:02
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 8m 5s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:DBelhwqpBHYlUyo.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:22
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@3/1@3/0
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 1.7% (good quality ratio 1.4%)
                                            • Quality average: 53.3%
                                            • Quality standard deviation: 35%
                                            HCA Information:
                                            • Successful, ratio: 97%
                                            • Number of executed functions: 34
                                            • Number of non-executed functions: 4
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 184.87.213.220, 20.54.104.15, 40.91.112.76, 40.112.88.60, 23.77.213.161
                                            • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, client.wns.windows.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, e8652.dscx.akamaiedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, storeedgefd.xbetservices.akadns.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, e16646.dscg.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, neu-consume
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            19:59:17API Interceptor570x Sleep call for process: DBelhwqpBHYlUyo.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                            ASNs

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DBelhwqpBHYlUyo.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.355304211458859
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):6.5778692062480655
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:DBelhwqpBHYlUyo.exe
                                            File size:859136
                                            MD5:f865e3cf5f30296353766b374e774261
                                            SHA1:77157d4d36906f6a8e692ad8f0f4fd1c5e65d0ec
                                            SHA256:7ba7b04efd4019c0331f9d2efd8353c641c0d1393d6743cfa3d6d401649232ff
                                            SHA512:edd145e50314a64d56cece3d085086171e766e7d176a905371195b5690aa77bfabd711a8fdd5b2d4f823eb146a0a8ee61925d64774536389e981048eeb1f8f26
                                            SSDEEP:12288:EdK+7Srgk6o9RICx7900jOBLSYQkxLGTZ+bJUokZ20k3:YK+Ug5ovdGLSYbeMA+3
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.............................-... ...@....@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4d2dee
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x61F3DAA4 [Fri Jan 28 11:59:32 2022 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd2da00x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x5b0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xd80000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xd2d580x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xd0df40xd0e00False0.516395262941data6.58326371521IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .sdata0xd40000x1e80x200False0.861328125data6.63259378326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                            .rsrc0xd60000x5b00x600False0.422526041667data4.08355571401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xd80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0xd60a00x324data
                                            RT_MANIFEST0xd63c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2016
                                            Assembly Version1.0.0.0
                                            InternalNameCharTypeIn.exe
                                            FileVersion1.0.0.0
                                            CompanyName
                                            LegalTrademarks
                                            Comments
                                            ProductNameOthelloCS
                                            ProductVersion1.0.0.0
                                            FileDescriptionOthelloCS
                                            OriginalFilenameCharTypeIn.exe

                                            Network Behavior

                                            Network Port Distribution

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 28, 2022 20:01:06.829154015 CET5265053192.168.2.38.8.8.8
                                            Jan 28, 2022 20:01:06.907824039 CET53526508.8.8.8192.168.2.3
                                            Jan 28, 2022 20:01:06.914556026 CET6329753192.168.2.38.8.8.8
                                            Jan 28, 2022 20:01:06.990269899 CET53632978.8.8.8192.168.2.3
                                            Jan 28, 2022 20:01:07.545274973 CET5836153192.168.2.38.8.8.8

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 28, 2022 20:01:06.829154015 CET192.168.2.38.8.8.80x5974Standard query (0)mail.crealuz.esA (IP address)IN (0x0001)
                                            Jan 28, 2022 20:01:06.914556026 CET192.168.2.38.8.8.80x26ddStandard query (0)mail.crealuz.esA (IP address)IN (0x0001)
                                            Jan 28, 2022 20:01:07.545274973 CET192.168.2.38.8.8.80x9f3dStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 28, 2022 20:01:06.907824039 CET8.8.8.8192.168.2.30x5974No error (0)mail.crealuz.escrealuz.esCNAME (Canonical name)IN (0x0001)
                                            Jan 28, 2022 20:01:06.907824039 CET8.8.8.8192.168.2.30x5974No error (0)crealuz.es185.101.224.222A (IP address)IN (0x0001)
                                            Jan 28, 2022 20:01:06.990269899 CET8.8.8.8192.168.2.30x26ddNo error (0)mail.crealuz.escrealuz.esCNAME (Canonical name)IN (0x0001)
                                            Jan 28, 2022 20:01:06.990269899 CET8.8.8.8192.168.2.30x26ddNo error (0)crealuz.es185.101.224.222A (IP address)IN (0x0001)
                                            Jan 28, 2022 20:01:07.570594072 CET8.8.8.8192.168.2.30x9f3dNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:19:58:54
                                            Start date:28/01/2022
                                            Path:C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe"
                                            Imagebase:0x220000
                                            File size:859136 bytes
                                            MD5 hash:F865E3CF5F30296353766B374E774261
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.340180618.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.340392025.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.340782843.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.340782843.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low

                                            General

                                            Target ID:8
                                            Start time:19:59:19
                                            Start date:28/01/2022
                                            Path:C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\DBelhwqpBHYlUyo.exe
                                            Imagebase:0xe20000
                                            File size:859136 bytes
                                            MD5 hash:F865E3CF5F30296353766B374E774261
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.335009031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.335009031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.551822942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.335724383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.335724383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.337726031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.337726031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.336357298.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.336357298.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000008.00000002.558831325.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:low

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:8.2%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:141
                                              Total number of Limit Nodes:6
                                              execution_graph 14079 b03e50 14081 b03e6d 14079->14081 14080 b03f07 14081->14080 14083 b03ff1 14081->14083 14084 b04015 14083->14084 14088 b044f0 14084->14088 14092 b044e0 14084->14092 14090 b04517 14088->14090 14089 b045f4 14090->14089 14096 b03e24 14090->14096 14094 b044f0 14092->14094 14093 b045f4 14094->14093 14095 b03e24 CreateActCtxA 14094->14095 14095->14093 14097 b05580 CreateActCtxA 14096->14097 14099 b05643 14097->14099 14261 7779a00 14262 7779b8b 14261->14262 14263 7779a26 14261->14263 14263->14262 14265 7776314 14263->14265 14266 7779c80 PostMessageW 14265->14266 14267 7779cec 14266->14267 14267->14263 14100 7777a99 14102 7777ab5 14100->14102 14101 7777ef4 14102->14101 14105 7778589 14102->14105 14119 7778598 14102->14119 14106 77785b5 14105->14106 14133 77794d0 14106->14133 14138 7778e52 14106->14138 14142 7778c23 14106->14142 14147 7778fb4 14106->14147 14152 7778f34 14106->14152 14157 7778fe8 14106->14157 14162 777930b 14106->14162 14167 777950d 14106->14167 14176 7778b5e 14106->14176 14183 777929e 14106->14183 14188 7778cef 14106->14188 14107 77785f5 14107->14102 14120 77785b5 14119->14120 14122 7778f34 2 API calls 14120->14122 14123 7778fb4 2 API calls 14120->14123 14124 7778c23 2 API calls 14120->14124 14125 7778e52 2 API calls 14120->14125 14126 77794d0 2 API calls 14120->14126 14127 7778cef 2 API calls 14120->14127 14128 777929e 2 API calls 14120->14128 14129 7778b5e 4 API calls 14120->14129 14130 777950d 4 API calls 14120->14130 14131 777930b 2 API calls 14120->14131 14132 7778fe8 2 API calls 14120->14132 14121 77785f5 14121->14102 14122->14121 14123->14121 14124->14121 14125->14121 14126->14121 14127->14121 14128->14121 14129->14121 14130->14121 14131->14121 14132->14121 14134 7778c49 14133->14134 14135 7778c8b 14133->14135 14193 77774b0 14134->14193 14197 77774b8 14134->14197 14135->14107 14201 7777303 14138->14201 14205 7777308 14138->14205 14139 7778e70 14143 7778c2d 14142->14143 14145 77774b0 ReadProcessMemory 14143->14145 14146 77774b8 ReadProcessMemory 14143->14146 14144 7778c8b 14144->14107 14145->14144 14146->14144 14148 7778fbd 14147->14148 14209 7779970 14148->14209 14214 7779960 14148->14214 14149 777905d 14149->14107 14153 7778f48 14152->14153 14227 77773c3 14153->14227 14231 77773c8 14153->14231 14154 7778ed5 14154->14107 14158 7779002 14157->14158 14160 7779970 2 API calls 14158->14160 14161 7779960 2 API calls 14158->14161 14159 777905d 14159->14107 14160->14159 14161->14159 14165 77773c3 WriteProcessMemory 14162->14165 14166 77773c8 WriteProcessMemory 14162->14166 14163 77793da 14164 77792eb 14164->14162 14164->14163 14165->14164 14166->14164 14168 777951e 14167->14168 14169 77795de 14168->14169 14170 7778fe7 14168->14170 14171 777905d 14168->14171 14235 7779900 14169->14235 14240 77798ef 14169->14240 14172 7779970 2 API calls 14170->14172 14173 7779960 2 API calls 14170->14173 14171->14107 14172->14171 14173->14171 14253 7777644 14176->14253 14257 7777650 14176->14257 14177 7778b99 14178 7778bfa 14177->14178 14179 7777230 SetThreadContext 14177->14179 14180 7777228 SetThreadContext 14177->14180 14179->14178 14180->14178 14184 7778d15 14183->14184 14185 7778d36 14183->14185 14186 77773c3 WriteProcessMemory 14184->14186 14187 77773c8 WriteProcessMemory 14184->14187 14186->14185 14187->14185 14189 7778cf9 14188->14189 14191 77773c3 WriteProcessMemory 14189->14191 14192 77773c8 WriteProcessMemory 14189->14192 14190 7778d36 14191->14190 14192->14190 14194 7777503 ReadProcessMemory 14193->14194 14196 7777547 14194->14196 14196->14135 14198 7777503 ReadProcessMemory 14197->14198 14200 7777547 14198->14200 14200->14135 14202 7777348 VirtualAllocEx 14201->14202 14204 7777385 14202->14204 14204->14139 14206 7777348 VirtualAllocEx 14205->14206 14208 7777385 14206->14208 14208->14139 14210 777998a 14209->14210 14219 7777180 14210->14219 14223 7777178 14210->14223 14211 77799b9 14211->14149 14215 777998a 14214->14215 14217 7777180 ResumeThread 14215->14217 14218 7777178 ResumeThread 14215->14218 14216 77799b9 14216->14149 14217->14216 14218->14216 14220 77771c0 ResumeThread 14219->14220 14222 77771f1 14220->14222 14222->14211 14224 77771c0 ResumeThread 14223->14224 14226 77771f1 14224->14226 14226->14211 14228 7777410 WriteProcessMemory 14227->14228 14230 7777467 14228->14230 14230->14154 14232 7777410 WriteProcessMemory 14231->14232 14234 7777467 14232->14234 14234->14154 14236 777991a 14235->14236 14245 7777230 14236->14245 14249 7777228 14236->14249 14237 777994c 14237->14171 14241 777991a 14240->14241 14243 7777230 SetThreadContext 14241->14243 14244 7777228 SetThreadContext 14241->14244 14242 777994c 14242->14171 14243->14242 14244->14242 14246 7777275 SetThreadContext 14245->14246 14248 77772bd 14246->14248 14248->14237 14250 7777275 SetThreadContext 14249->14250 14252 77772bd 14250->14252 14252->14237 14254 7777649 CreateProcessA 14253->14254 14256 777789b 14254->14256 14258 77776d9 CreateProcessA 14257->14258 14260 777789b 14258->14260

                                              Executed Functions

                                              Function 07777644 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 7777644-77776e5 3 77776e7-77776f1 0->3 4 777771e-777773e 0->4 3->4 5 77776f3-77776f5 3->5 11 7777777-77777a6 4->11 12 7777740-777774a 4->12 7 77776f7-7777701 5->7 8 7777718-777771b 5->8 9 7777705-7777714 7->9 10 7777703 7->10 8->4 9->9 13 7777716 9->13 10->9 18 77777df-7777899 CreateProcessA 11->18 19 77777a8-77777b2 11->19 12->11 14 777774c-777774e 12->14 13->8 16 7777771-7777774 14->16 17 7777750-777775a 14->17 16->11 20 777775e-777776d 17->20 21 777775c 17->21 32 77778a2-7777928 18->32 33 777789b-77778a1 18->33 19->18 22 77777b4-77777b6 19->22 20->20 23 777776f 20->23 21->20 24 77777d9-77777dc 22->24 25 77777b8-77777c2 22->25 23->16 24->18 27 77777c6-77777d5 25->27 28 77777c4 25->28 27->27 29 77777d7 27->29 28->27 29->24 43 777792a-777792e 32->43 44 7777938-777793c 32->44 33->32 43->44 45 7777930 43->45 46 777793e-7777942 44->46 47 777794c-7777950 44->47 45->44 46->47 48 7777944 46->48 49 7777952-7777956 47->49 50 7777960-7777964 47->50 48->47 49->50 51 7777958 49->51 52 7777976-777797d 50->52 53 7777966-777796c 50->53 51->50 54 7777994 52->54 55 777797f-777798e 52->55 53->52 57 7777995 54->57 55->54 57->57
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07777886
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 862c9b6c5bda9e94b91b68cd986183ac3158c9e5f2300f5bd7c9bc65caed0289
                                              • Instruction ID: c1e5491f32c33e580b222d56ef43cf41dc0f05110fa0ec1cda6ac863e194a268
                                              • Opcode Fuzzy Hash: 862c9b6c5bda9e94b91b68cd986183ac3158c9e5f2300f5bd7c9bc65caed0289
                                              • Instruction Fuzzy Hash: 4CA14CB1D00219DFDF14CFA8C881BEDBBB2AF48354F1489A9D859A7240DB749985CFD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07777650 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 58 7777650-77776e5 60 77776e7-77776f1 58->60 61 777771e-777773e 58->61 60->61 62 77776f3-77776f5 60->62 68 7777777-77777a6 61->68 69 7777740-777774a 61->69 64 77776f7-7777701 62->64 65 7777718-777771b 62->65 66 7777705-7777714 64->66 67 7777703 64->67 65->61 66->66 70 7777716 66->70 67->66 75 77777df-7777899 CreateProcessA 68->75 76 77777a8-77777b2 68->76 69->68 71 777774c-777774e 69->71 70->65 73 7777771-7777774 71->73 74 7777750-777775a 71->74 73->68 77 777775e-777776d 74->77 78 777775c 74->78 89 77778a2-7777928 75->89 90 777789b-77778a1 75->90 76->75 79 77777b4-77777b6 76->79 77->77 80 777776f 77->80 78->77 81 77777d9-77777dc 79->81 82 77777b8-77777c2 79->82 80->73 81->75 84 77777c6-77777d5 82->84 85 77777c4 82->85 84->84 86 77777d7 84->86 85->84 86->81 100 777792a-777792e 89->100 101 7777938-777793c 89->101 90->89 100->101 102 7777930 100->102 103 777793e-7777942 101->103 104 777794c-7777950 101->104 102->101 103->104 105 7777944 103->105 106 7777952-7777956 104->106 107 7777960-7777964 104->107 105->104 106->107 108 7777958 106->108 109 7777976-777797d 107->109 110 7777966-777796c 107->110 108->107 111 7777994 109->111 112 777797f-777798e 109->112 110->109 114 7777995 111->114 112->111 114->114
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07777886
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: de2cdafb7ad88b3618c1505f3f0f2aeaa37d71d6174560487d267f7c2ad8c94e
                                              • Instruction ID: 8a3f721da3b99a8406e432f533eac8de93537e37de8bb68735d36c00b2d4baad
                                              • Opcode Fuzzy Hash: de2cdafb7ad88b3618c1505f3f0f2aeaa37d71d6174560487d267f7c2ad8c94e
                                              • Instruction Fuzzy Hash: 7A914BB1D00219DFDF14CFA8C881BEDBAB2BF48354F1489A9D859A7280DB749985CFD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00B05574 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 115 b05574-b0557e 116 b05580-b05641 CreateActCtxA 115->116 118 b05643-b05649 116->118 119 b0564a-b056a4 116->119 118->119 126 b056b3-b056b7 119->126 127 b056a6-b056a9 119->127 128 b056c8 126->128 129 b056b9-b056c5 126->129 127->126 131 b056c9 128->131 129->128 131->131
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00B05631
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339658498.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b00000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 9793b0f7afca009542720f6f2a7857a7af68933339ddaf615fe50fe6b500e81a
                                              • Instruction ID: 6483121e0e51f786f5cfe5b83cf226c31f43238a8fbea3570e0fb5c9e1385197
                                              • Opcode Fuzzy Hash: 9793b0f7afca009542720f6f2a7857a7af68933339ddaf615fe50fe6b500e81a
                                              • Instruction Fuzzy Hash: 03410370D04618DFDB24CFA9C9847CEBBF1BF49304F6480A9D418AB251DBB66949CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00B03E24 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 132 b03e24-b05641 CreateActCtxA 135 b05643-b05649 132->135 136 b0564a-b056a4 132->136 135->136 143 b056b3-b056b7 136->143 144 b056a6-b056a9 136->144 145 b056c8 143->145 146 b056b9-b056c5 143->146 144->143 148 b056c9 145->148 146->145 148->148
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00B05631
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339658498.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b00000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 84358c77d4c47d3d0008863b0d2591697238b50d2d6e60a10dd18a02c658a0b4
                                              • Instruction ID: 7185638f68112dd835576731b5b97835f08d2736f8451155951d767627857c70
                                              • Opcode Fuzzy Hash: 84358c77d4c47d3d0008863b0d2591697238b50d2d6e60a10dd18a02c658a0b4
                                              • Instruction Fuzzy Hash: A641F270D0461CDFDB24CFA9C98479EBBF1BF49304F6080A9D418AB291DBB66945CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 077773C3 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 149 77773c3-7777416 151 7777426-7777465 WriteProcessMemory 149->151 152 7777418-7777424 149->152 154 7777467-777746d 151->154 155 777746e-777749e 151->155 152->151 154->155
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07777458
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 76f1a6087ffb19c6b92a48e8ed2c75add377f1f3338c1810bd7e4f85bd8a349a
                                              • Instruction ID: 05bb91667ee9ee3fe0fe248b081da763c03ca93ad23cc27144590ebe9e8b0724
                                              • Opcode Fuzzy Hash: 76f1a6087ffb19c6b92a48e8ed2c75add377f1f3338c1810bd7e4f85bd8a349a
                                              • Instruction Fuzzy Hash: FD2115B19002199FCF00CFA9D9857DEBBF5FF48314F108829E919A7340DB789955DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 077773C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 159 77773c8-7777416 161 7777426-7777465 WriteProcessMemory 159->161 162 7777418-7777424 159->162 164 7777467-777746d 161->164 165 777746e-777749e 161->165 162->161 164->165
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07777458
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 5e589c6f4c115669feefe90d37da463b7b8aadf6841b68ba9f0d8e5da29c0c7a
                                              • Instruction ID: 258f6a79145d98f60dcb56132fd984c0801d1e12186c0ad914a7009d0130c8fd
                                              • Opcode Fuzzy Hash: 5e589c6f4c115669feefe90d37da463b7b8aadf6841b68ba9f0d8e5da29c0c7a
                                              • Instruction Fuzzy Hash: 1A2126B19003199FCF00CFA9C985BDEBBF5FF48314F108829E919A7240DB78A955DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 077774B0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 169 77774b0-7777545 ReadProcessMemory 172 7777547-777754d 169->172 173 777754e-777757e 169->173 172->173
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07777538
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 2521fb82d0de173adb5522d1a0b96af44a2c6e8f85bb78c4b525f244dff8fb56
                                              • Instruction ID: 9cafa4577ed7e7b8e189b1ff74c62bd74fd322a8b62c8e320e417be0435b524a
                                              • Opcode Fuzzy Hash: 2521fb82d0de173adb5522d1a0b96af44a2c6e8f85bb78c4b525f244dff8fb56
                                              • Instruction Fuzzy Hash: 922136B19003499FCB00DFA9D9806EEFBF5FF48314F50882DE559A7240DB389915DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07777230 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 177 7777230-777727b 179 777727d-7777289 177->179 180 777728b-77772bb SetThreadContext 177->180 179->180 182 77772c4-77772f4 180->182 183 77772bd-77772c3 180->183 183->182
                                              APIs
                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 077772AE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: 6ad3b3276045ca3b129e2bc769a099693e2c990769dd85be96fd6759d5e3f882
                                              • Instruction ID: ade097b8ca4f3dd00c2155879ba5cf9fe74f05f46c1ed2ad897d1430d3363298
                                              • Opcode Fuzzy Hash: 6ad3b3276045ca3b129e2bc769a099693e2c990769dd85be96fd6759d5e3f882
                                              • Instruction Fuzzy Hash: A92137B19003098FCB14DFAAC4847EEBBF5EF48364F14842DD529A7240DB78A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 077774B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 187 77774b8-7777545 ReadProcessMemory 190 7777547-777754d 187->190 191 777754e-777757e 187->191 190->191
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07777538
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 649633fe3831b1a0889c350cf47f700756d43cd2941fdd2846f9e1f2db1e43f9
                                              • Instruction ID: 9094e5da2818a3372686afc382a0d10610225283e3ccf2c4170b40f3730c2157
                                              • Opcode Fuzzy Hash: 649633fe3831b1a0889c350cf47f700756d43cd2941fdd2846f9e1f2db1e43f9
                                              • Instruction Fuzzy Hash: D52116B19002099FCB00DFA9D9806EEFBF5FF48314F508829E519A7240DB389955DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07777228 Relevance: 1.6, APIs: 1, Instructions: 61threadinjectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 195 7777228-777727b 197 777727d-7777289 195->197 198 777728b-77772bb SetThreadContext 195->198 197->198 200 77772c4-77772f4 198->200 201 77772bd-77772c3 198->201 201->200
                                              APIs
                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 077772AE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: 6ac0a77fd0819dfc1264cce0e9d66b96572ae0bba65c97bcee37a7ff37c7bb2f
                                              • Instruction ID: bde5af8dd1446d3f3101db230d0f5eaf78431da57df5ca1b6a5182bd8f94d1c2
                                              • Opcode Fuzzy Hash: 6ac0a77fd0819dfc1264cce0e9d66b96572ae0bba65c97bcee37a7ff37c7bb2f
                                              • Instruction Fuzzy Hash: D02134B1D006098FCB14CFA9C5847EEBBF5AF48364F14882ED529A7240CB78A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07777308 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 213 7777308-7777383 VirtualAllocEx 216 7777385-777738b 213->216 217 777738c-77773b1 213->217 216->217
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07777376
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 7539c9e4d31003b15e1d57c5197b7d158be9cee816449f1b2682a5c38c948250
                                              • Instruction ID: 77c7cf726548f81c80004aeb377d0df40f96955bfc8420194f59abb0524d3c9d
                                              • Opcode Fuzzy Hash: 7539c9e4d31003b15e1d57c5197b7d158be9cee816449f1b2682a5c38c948250
                                              • Instruction Fuzzy Hash: F71156719003489FCF10DFA9C8447DEFBF5AF48324F208829E529A7210CB35A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07777178 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 205 7777178-77771ef ResumeThread 208 77771f1-77771f7 205->208 209 77771f8-777721d 205->209 208->209
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: d5b8fcf324eeadbb050380cfb4d66d036ab50d5ab2b989336be6eaa19dfb1189
                                              • Instruction ID: c7d0324f4284880136ac3c04e44ee3b7d27ccfdb3a2d495fe5f5f61ffd43eee7
                                              • Opcode Fuzzy Hash: d5b8fcf324eeadbb050380cfb4d66d036ab50d5ab2b989336be6eaa19dfb1189
                                              • Instruction Fuzzy Hash: F61149B1D002498BCB14DFA9D9447DEFBF5AB88314F248829D529A7600CB749545CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07777303 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 221 7777303-7777383 VirtualAllocEx 224 7777385-777738b 221->224 225 777738c-77773b1 221->225 224->225
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07777376
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 141f541a3f0a0323438b7f8d624de8e90b0d41025c9b1b413690855a47f9e708
                                              • Instruction ID: b415271237d7c8e9234906c15cc991acf801b34621b17a006dcbe4ad45c29a85
                                              • Opcode Fuzzy Hash: 141f541a3f0a0323438b7f8d624de8e90b0d41025c9b1b413690855a47f9e708
                                              • Instruction Fuzzy Hash: 021156719002098FCF04DFA9D9407DEFBF6AF48314F208829D529A7250CB349555CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07777180 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 229 7777180-77771ef ResumeThread 232 77771f1-77771f7 229->232 233 77771f8-777721d 229->233 232->233
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 951d2b4c0f48ae749b60303d589637f73b3267142eeefb466ff6e432eac37f00
                                              • Instruction ID: 78e9d4a8d97120e1652bdfd4cef763a4ad808ad400af2962155718ee6dabce37
                                              • Opcode Fuzzy Hash: 951d2b4c0f48ae749b60303d589637f73b3267142eeefb466ff6e432eac37f00
                                              • Instruction Fuzzy Hash: 581128B1D002498BCB14DFAAD8447DEFBF5AB88224F248829D529A7240CB74A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07776314 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 237 7776314-7779cea PostMessageW 239 7779cf3-7779d07 237->239 240 7779cec-7779cf2 237->240 240->239
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07779CDD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 60e8127a09c6aa63bd3f13a9b2535296c732a7a6b8a8a9ae2bad7258c723e52d
                                              • Instruction ID: b2ff4c8078b82c7a61b630b77787ef4171562b2807129b7d872cf99cf3a26f15
                                              • Opcode Fuzzy Hash: 60e8127a09c6aa63bd3f13a9b2535296c732a7a6b8a8a9ae2bad7258c723e52d
                                              • Instruction Fuzzy Hash: 8911F2B58007499FDB10DF99D585BDEFBF8EB48324F10881AE919A7200C774A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07779C78 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07779CDD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.345187722.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7770000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: e51549f1ca617187ea07754f35a18e2eaec9ab736b865f2d4c3b839934b1530b
                                              • Instruction ID: 24c2cc4ffa743ae020434cfe1eb2e97950e52395b852821bbe5f73ba64afee37
                                              • Opcode Fuzzy Hash: e51549f1ca617187ea07754f35a18e2eaec9ab736b865f2d4c3b839934b1530b
                                              • Instruction Fuzzy Hash: EB1122B58003499FCB10DF99D585BDEFBF8FB48324F208859D929A7200C774A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAD508 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339555468.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_aad000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe027b26f54cf5663366b7a0260048dac0117558e91ae5bcc128ca0536acec8c
                                              • Instruction ID: e02a571df46f1fef9a394813c74e179f529467245d9199967d66c0aa84c0ca4c
                                              • Opcode Fuzzy Hash: fe027b26f54cf5663366b7a0260048dac0117558e91ae5bcc128ca0536acec8c
                                              • Instruction Fuzzy Hash: 60216772904241DFCB05CF00D9C0F16BFA5FB88328F24896DE84A0B686C336D856C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00ABD01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339575830.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_abd000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4b11d4fd5621956b65ce507386c505edca00b42d00cf27303633feb2d39a1cf
                                              • Instruction ID: 6de796ca330a6b17522ed30fbfaaedbcfab122fb39ac025e4bbf97d192c8b3da
                                              • Opcode Fuzzy Hash: f4b11d4fd5621956b65ce507386c505edca00b42d00cf27303633feb2d39a1cf
                                              • Instruction Fuzzy Hash: 9A210475504640DFCB14EF14D9C0B56BBA9FB88324F24C96DD80A4B247D73BD847CA62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAD503 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339555468.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_aad000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73c77642ff1d0f1846af63e25c15ef72c8540fb2a5fba5c953b56dea98f27032
                                              • Instruction ID: e4a2e08b843a24591c80f3550093f2b857639be4bfc42c89f912b4f20dfded27
                                              • Opcode Fuzzy Hash: 73c77642ff1d0f1846af63e25c15ef72c8540fb2a5fba5c953b56dea98f27032
                                              • Instruction Fuzzy Hash: FF11E676904280DFCF12CF10D5C4B16BF72FB95324F28C6A9D84A4B656C336D85ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00ABD017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339575830.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_abd000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 71bd26055f06f08825311f0b87c08736bb4be69c4b1a897ef11e019550e4984e
                                              • Instruction ID: 1012f731030ab0794a2de0b806f746711bfd696f484c8480b5cb4e1d8544270e
                                              • Opcode Fuzzy Hash: 71bd26055f06f08825311f0b87c08736bb4be69c4b1a897ef11e019550e4984e
                                              • Instruction Fuzzy Hash: BA119D75504280DFCB11DF14D5C4B55FFA1FB84324F28C6AAD84A4B656C33AD85ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAD7ED Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339555468.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_aad000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55a379ac8bba1634829abbcaa11fc7f6f51536bb412824652f0ecbf20fdc420e
                                              • Instruction ID: c5339292de897f55ba6c5470dded80017a82ab74056c391b69026604e8258316
                                              • Opcode Fuzzy Hash: 55a379ac8bba1634829abbcaa11fc7f6f51536bb412824652f0ecbf20fdc420e
                                              • Instruction Fuzzy Hash: 7501F7714087409AD7108F61CD847A2FBA8EF4A764F18C45DED9A5B686C77C9844C6B1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AAD7EC Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339555468.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_aad000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbd516908fea6af5abdcf61a7bf33d15be81f634fc99cdc088fa7ddc12f1a427
                                              • Instruction ID: 6826d9b50ebe6b36f08dd79033a6f96652fcddd93e760ef2e2f62739b2420902
                                              • Opcode Fuzzy Hash: bbd516908fea6af5abdcf61a7bf33d15be81f634fc99cdc088fa7ddc12f1a427
                                              • Instruction Fuzzy Hash: 4DF0C2714042849EE7108F15CCC4BA2FFA8EB46774F18C45EED585B686C3789844CAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 00B074F7 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339658498.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b00000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: =
                                              • API String ID: 0-2322244508
                                              • Opcode ID: 88500e303d1088094563ef577f6063ab18b9b850c5c875cd0cc73bc66b8b276f
                                              • Instruction ID: 76dc1ab45acb1974b33391a96a9c7003c171724f98591000272b65c59e5d288a
                                              • Opcode Fuzzy Hash: 88500e303d1088094563ef577f6063ab18b9b850c5c875cd0cc73bc66b8b276f
                                              • Instruction Fuzzy Hash: 16515BB1D056198BEB18CF6B8D447CAFBF3AFD8300F18C1FA9518A6265DB3449868F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00B09939 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339658498.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b00000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: UUUU
                                              • API String ID: 0-1798160573
                                              • Opcode ID: 37dc1612f969020b38fceacd8f11f3c344ad34f57ba9a1d1039cfcb3f7a131d2
                                              • Instruction ID: 61b0424293f8d9e3307e9077f150de511e5b2c2be304a8fc1a8a194531321475
                                              • Opcode Fuzzy Hash: 37dc1612f969020b38fceacd8f11f3c344ad34f57ba9a1d1039cfcb3f7a131d2
                                              • Instruction Fuzzy Hash: DD514E70E146288FEBA4CF6DC984B8DFBF2AF48304F5482A9D55CE7215D7349A868F11
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00B072AF Relevance: .2, Instructions: 152COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339658498.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b00000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e3b1cc5194fe89dcfe73e03fc43210ca60aaac4b89432c8d6631b56b322b915
                                              • Instruction ID: a84e7a842114b4aec088c002b2ad7ebdc82c00c00b8a8d7a0869d5f44b457c21
                                              • Opcode Fuzzy Hash: 4e3b1cc5194fe89dcfe73e03fc43210ca60aaac4b89432c8d6631b56b322b915
                                              • Instruction Fuzzy Hash: C1519070E042088FDB45DFB9E95179EBBF2AF8A304F14C529D1189B3B6EF7059068B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00B072B8 Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.339658498.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b00000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5dac7d43cc91f8b979586a5cefe8301a73474f28fcdbd02fefd6897d35570f62
                                              • Instruction ID: 370da1685796a8f0b6095352cd9a676aab592ad92e6465d2c76e29c7587592fb
                                              • Opcode Fuzzy Hash: 5dac7d43cc91f8b979586a5cefe8301a73474f28fcdbd02fefd6897d35570f62
                                              • Instruction Fuzzy Hash: FB519170E042088FDB45DFB9E99179EBBF2AF8A304F14C529D1149B37AEF7059068B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:10.7%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:81
                                              Total number of Limit Nodes:7
                                              execution_graph 13519 17cd01c 13520 17cd034 13519->13520 13521 17cd08e 13520->13521 13526 3017961 13520->13526 13534 3015348 13520->13534 13538 3015338 13520->13538 13542 3013ca4 13520->13542 13529 30179b5 13526->13529 13527 30179e9 13531 30179e7 13527->13531 13558 3016964 13527->13558 13529->13527 13530 30179d9 13529->13530 13550 3017b00 13530->13550 13554 3017b10 13530->13554 13535 301536e 13534->13535 13536 3013ca4 CallWindowProcW 13535->13536 13537 301538f 13536->13537 13537->13521 13539 301536e 13538->13539 13540 3013ca4 CallWindowProcW 13539->13540 13541 301538f 13540->13541 13541->13521 13543 3013caf 13542->13543 13544 30179e9 13543->13544 13546 30179d9 13543->13546 13545 3016964 CallWindowProcW 13544->13545 13547 30179e7 13544->13547 13545->13547 13548 3017b00 CallWindowProcW 13546->13548 13549 3017b10 CallWindowProcW 13546->13549 13548->13547 13549->13547 13552 3017b05 13550->13552 13551 3016964 CallWindowProcW 13551->13552 13552->13551 13553 3017c0b 13552->13553 13553->13531 13556 3017b1e 13554->13556 13555 3016964 CallWindowProcW 13555->13556 13556->13555 13557 3017c0b 13556->13557 13557->13531 13559 301696f 13558->13559 13560 3017cda CallWindowProcW 13559->13560 13561 3017c89 13559->13561 13560->13561 13561->13531 13562 301b651 13563 301b5f2 13562->13563 13564 301b659 13562->13564 13563->13564 13567 301b83a 13563->13567 13565 301b60d 13568 301b843 13567->13568 13573 301b920 13567->13573 13577 301b90f 13567->13577 13581 301ba1c 13567->13581 13585 301ba36 13567->13585 13568->13565 13574 301b921 13573->13574 13575 301ba5b 13574->13575 13589 301bd17 13574->13589 13578 301b914 13577->13578 13579 301b8dd 13578->13579 13580 301bd17 2 API calls 13578->13580 13579->13568 13580->13579 13582 301b9cf 13581->13582 13582->13581 13583 301ba5b 13582->13583 13584 301bd17 2 API calls 13582->13584 13584->13583 13586 301ba49 13585->13586 13587 301ba5b 13585->13587 13588 301bd17 2 API calls 13586->13588 13588->13587 13590 301bd1c 13589->13590 13594 301bd69 13590->13594 13598 301bd78 13590->13598 13591 301bd46 13591->13575 13596 301bd6c 13594->13596 13595 301be05 13595->13591 13596->13595 13597 301bddc RtlEncodePointer 13596->13597 13597->13595 13599 301bd79 13598->13599 13600 301bddc RtlEncodePointer 13599->13600 13601 301be05 13599->13601 13600->13601 13601->13591 13602 3015190 13603 30151f8 CreateWindowExW 13602->13603 13605 30152b4 13603->13605 13605->13605 13606 3016b50 GetCurrentProcess 13607 3016bc3 13606->13607 13608 3016bca GetCurrentThread 13606->13608 13607->13608 13609 3016c00 13608->13609 13610 3016c07 GetCurrentProcess 13608->13610 13609->13610 13611 3016c3d 13610->13611 13612 3016c65 GetCurrentThreadId 13611->13612 13613 3016c96 13612->13613 13614 3016d78 DuplicateHandle 13615 3016e0e 13614->13615

                                              Executed Functions

                                              Function 03016B50 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 03016BB0
                                              • GetCurrentThread.KERNEL32 ref: 03016BED
                                              • GetCurrentProcess.KERNEL32 ref: 03016C2A
                                              • GetCurrentThreadId.KERNEL32 ref: 03016C83
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553824589.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_3010000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 83a735f519fb2ad0d93c63720e2b1ccd0291ce483de293ae066dfd14d6d4ffcf
                                              • Instruction ID: f3fbe9f9a76eb9794115bb2d3b436808a3b11c04f114b7ea95ce8f5d8708a70c
                                              • Opcode Fuzzy Hash: 83a735f519fb2ad0d93c63720e2b1ccd0291ce483de293ae066dfd14d6d4ffcf
                                              • Instruction Fuzzy Hash: AA5143B0A016488FDB50CFA9CA88BAEBBF1EF48314F248459E419A3350DB756884CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 03015184 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 634 3015184-30151f6 635 3015201-3015208 634->635 636 30151f8-30151fe 634->636 637 3015213-301524b 635->637 638 301520a-3015210 635->638 636->635 639 3015253-30152b2 CreateWindowExW 637->639 638->637 640 30152b4-30152ba 639->640 641 30152bb-30152f3 639->641 640->641 645 3015300 641->645 646 30152f5-30152f8 641->646 647 3015301 645->647 646->645 647->647
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030152A2
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553824589.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_3010000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: faa25d251949fc8cdd197002ff26c26af5712b33d96a1aa8555c0f1e3701b3eb
                                              • Instruction ID: 9b6fd54b70edceedfbbb6d876df1ebd0c42d89e927b34152309a543c6e8958f2
                                              • Opcode Fuzzy Hash: faa25d251949fc8cdd197002ff26c26af5712b33d96a1aa8555c0f1e3701b3eb
                                              • Instruction Fuzzy Hash: C051BEB1D013099FDB14CFA9C984ADEFBF5BF89314F24812AE819AB250D7749945CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 03015190 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 648 3015190-30151f6 649 3015201-3015208 648->649 650 30151f8-30151fe 648->650 651 3015213-30152b2 CreateWindowExW 649->651 652 301520a-3015210 649->652 650->649 654 30152b4-30152ba 651->654 655 30152bb-30152f3 651->655 652->651 654->655 659 3015300 655->659 660 30152f5-30152f8 655->660 661 3015301 659->661 660->659 661->661
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030152A2
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553824589.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_3010000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: dc639206da158a0a6d9746501da2a5b27e5a10855f59d1814411f514e09199a0
                                              • Instruction ID: c02c23ac8b49f496313c24958f4dbb42472af46a312ee8cd48c282df45525821
                                              • Opcode Fuzzy Hash: dc639206da158a0a6d9746501da2a5b27e5a10855f59d1814411f514e09199a0
                                              • Instruction Fuzzy Hash: 9641BEB1D113099FDB14CF99C884ADEFBF5BF89314F24812AE819AB250DB75A845CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 03016964 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 662 3016964-3017c7c 665 3017c82-3017c87 662->665 666 3017d2c-3017d4c call 3013ca4 662->666 667 3017c89-3017cc0 665->667 668 3017cda-3017d12 CallWindowProcW 665->668 674 3017d4f-3017d5c 666->674 675 3017cc2-3017cc8 667->675 676 3017cc9-3017cd8 667->676 670 3017d14-3017d1a 668->670 671 3017d1b-3017d2a 668->671 670->671 671->674 675->676 676->674
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 03017D01
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553824589.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_3010000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 98f097dcd0572e1c48be66d06d7b8b8e05e2f2a13162b5c216d691dc97adb4f4
                                              • Instruction ID: fa6ab400d04d3beeb5cb318413c74d3aeccdf0261c225bd3d2b6d7a4ade92991
                                              • Opcode Fuzzy Hash: 98f097dcd0572e1c48be66d06d7b8b8e05e2f2a13162b5c216d691dc97adb4f4
                                              • Instruction Fuzzy Hash: 94413BB4A00209CFCB14CF99C449AAAFBF5FF88714F25849DE519AB321D735A845CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0301BD69 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 679 301bd69-301bd6a 680 301bd71-301bd72 679->680 681 301bd6c-301bd70 679->681 682 301bd74-301bd77 680->682 683 301bd79-301bdba 680->683 681->680 682->683 686 301bdc0 683->686 687 301bdbc-301bdbe 683->687 688 301bdc5-301bdd0 686->688 687->688 689 301be31-301be3e 688->689 690 301bdd2-301be03 RtlEncodePointer 688->690 692 301be05-301be0b 690->692 693 301be0c-301be2c 690->693 692->693 693->689
                                              APIs
                                              • RtlEncodePointer.NTDLL(00000000), ref: 0301BDF2
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553824589.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_3010000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: EncodePointer
                                              • String ID:
                                              • API String ID: 2118026453-0
                                              • Opcode ID: b36cdf91bdf0958a591491ca0bb20c17fbff69fa623a38ee6601051b4bcd93b1
                                              • Instruction ID: 4fe4bbe647f7c28baa43ec1f15b3452b8c273174eaf9253185ed410afb8345b5
                                              • Opcode Fuzzy Hash: b36cdf91bdf0958a591491ca0bb20c17fbff69fa623a38ee6601051b4bcd93b1
                                              • Instruction Fuzzy Hash: 7021CFB28057888FDB60DFA5C90938EBFF4FB09304F18815AD449E7641DB385519CFA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 03016D71 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 695 3016d71-3016e0c DuplicateHandle 696 3016e15-3016e32 695->696 697 3016e0e-3016e14 695->697 697->696
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03016DFF
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553824589.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_3010000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: d497b878ad023ac71a04b0681bfcad967cfd66c1932f225e09d95dab5abca382
                                              • Instruction ID: b32269c110fcf4f4617067dce6391fe4ea6983e53da6eacf450522f7cc21054d
                                              • Opcode Fuzzy Hash: d497b878ad023ac71a04b0681bfcad967cfd66c1932f225e09d95dab5abca382
                                              • Instruction Fuzzy Hash: 5C21DFB5901208DFDB10CFA9D984ADEFBF4EF48324F14841AE918A7310D778AA54CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 03016D78 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 700 3016d78-3016e0c DuplicateHandle 701 3016e15-3016e32 700->701 702 3016e0e-3016e14 700->702 702->701
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03016DFF
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553824589.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_3010000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 2f95ae8af4209bb969b453fadb22d59480744cc5ec95c936b306fe34ccf8fb20
                                              • Instruction ID: 74bc122ba7e4f3786cdd0cb10774d8a5035647eaf6250f6e6b93852759c49e76
                                              • Opcode Fuzzy Hash: 2f95ae8af4209bb969b453fadb22d59480744cc5ec95c936b306fe34ccf8fb20
                                              • Instruction Fuzzy Hash: 2221D3B59012089FDB10CFAAD984ADEFBF8FB48324F14841AE914A7350D779A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0301BD78 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 705 301bd78-301bdba 709 301bdc0 705->709 710 301bdbc-301bdbe 705->710 711 301bdc5-301bdd0 709->711 710->711 712 301be31-301be3e 711->712 713 301bdd2-301be03 RtlEncodePointer 711->713 715 301be05-301be0b 713->715 716 301be0c-301be2c 713->716 715->716 716->712
                                              APIs
                                              • RtlEncodePointer.NTDLL(00000000), ref: 0301BDF2
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553824589.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_3010000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID: EncodePointer
                                              • String ID:
                                              • API String ID: 2118026453-0
                                              • Opcode ID: a17d263156356805a5030c039ed9e521696f23db68f12d7dd205fbb264d5a3cf
                                              • Instruction ID: 63a931a2781ba4b5439761175599efbdbd1c7aafed3231cae0190bf3ba951330
                                              • Opcode Fuzzy Hash: a17d263156356805a5030c039ed9e521696f23db68f12d7dd205fbb264d5a3cf
                                              • Instruction Fuzzy Hash: 1A11ACB19017488FDB60EFAAC50939EBFF4FB08314F24842AD409A3200DB396918CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 017BD53C Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553490003.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_17bd000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12780f067525ca22544228b0ebe965c412c01cdc6346211fcf5b862fbc38a0d9
                                              • Instruction ID: b63c4779ff6c7e6f589046c9bb51b3d39b2e7ba2806cecd4786490dc82f65526
                                              • Opcode Fuzzy Hash: 12780f067525ca22544228b0ebe965c412c01cdc6346211fcf5b862fbc38a0d9
                                              • Instruction Fuzzy Hash: 2B2106B2504240DFDB15DF94D9C0B96FF65FF8832CF3485A9E9094B246C336D856C6A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 017CD01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553542584.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_17cd000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7ee42193f9225653f38a2567861460dc1bd6e1cbd4cd6de497efcb5a42d9d138
                                              • Instruction ID: dfb4710ebaf3927ead03c24f9d08e2095496240d9fa43b7eb87657aace046cab
                                              • Opcode Fuzzy Hash: 7ee42193f9225653f38a2567861460dc1bd6e1cbd4cd6de497efcb5a42d9d138
                                              • Instruction Fuzzy Hash: 31213771504640DFCB25CF98D9C0B16FBA5FB84B54F24C9BDD8094B246C73AD887CAA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 017BD537 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553490003.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_17bd000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73c77642ff1d0f1846af63e25c15ef72c8540fb2a5fba5c953b56dea98f27032
                                              • Instruction ID: a83e8b70d0d615e4087bfb1ed8d69f65c3570c02cfd10f6d7cae6db7cffc9d73
                                              • Opcode Fuzzy Hash: 73c77642ff1d0f1846af63e25c15ef72c8540fb2a5fba5c953b56dea98f27032
                                              • Instruction Fuzzy Hash: E311B176404280CFCB16CF54D5C4B56FF72FB88328F2886A9D8094B656C336D45ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 017CD017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.553542584.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_17cd000_DBelhwqpBHYlUyo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 71bd26055f06f08825311f0b87c08736bb4be69c4b1a897ef11e019550e4984e
                                              • Instruction ID: 80d9ec7ea2733c17dd5b62d15e2a6aed2a48a5f612ab211ecb71043b21e0c8c6
                                              • Opcode Fuzzy Hash: 71bd26055f06f08825311f0b87c08736bb4be69c4b1a897ef11e019550e4984e
                                              • Instruction Fuzzy Hash: 2811D075504280DFCB22CF58D5C4B15FFA1FB84714F28C6ADD8494B656C33AD44ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%