Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
27-00000E9E0.exe

Overview

General Information

Sample Name:27-00000E9E0.exe
Analysis ID:562513
MD5:8bb02aeba18edef4446fa923b0342709
SHA1:d4cba8dd7b5f211571d50182017c94cca55760c4
SHA256:acb77cf0d80fc513aa1d6bbb098615fe73bac7ab4791d9d52958923f19bd517d
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 27-00000E9E0.exe (PID: 5316 cmdline: "C:\Users\user\Desktop\27-00000E9E0.exe" MD5: 8BB02AEBA18EDEF4446FA923B0342709)
    • 27-00000E9E0.exe (PID: 5736 cmdline: C:\Users\user\Desktop\27-00000E9E0.exe MD5: 8BB02AEBA18EDEF4446FA923B0342709)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "investwhore@bhgautopartes.com", "Password": "icui4cu2@@", "Host": "mail.bhgautopartes.com"}
SourceRuleDescriptionAuthorStrings
00000005.00000000.721819675.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000000.721819675.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000000.721345655.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000000.721345655.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000000.722583580.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 17 entries
            SourceRuleDescriptionAuthorStrings
            0.2.27-00000E9E0.exe.435aec8.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.27-00000E9E0.exe.435aec8.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.27-00000E9E0.exe.435aec8.5.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x2e69e:$s1: get_kbok
                • 0x2efd2:$s2: get_CHoo
                • 0x2fc2d:$s3: set_passwordIsSet
                • 0x2e4a2:$s4: get_enableLog
                • 0x32b21:$s8: torbrowser
                • 0x314fd:$s10: logins
                • 0x30e75:$s11: credential
                • 0x2d898:$g1: get_Clipboard
                • 0x2d8a6:$g2: get_Keyboard
                • 0x2d8b3:$g3: get_Password
                • 0x2ee80:$g4: get_CtrlKeyDown
                • 0x2ee90:$g5: get_ShiftKeyDown
                • 0x2eea1:$g6: get_AltKeyDown
                0.2.27-00000E9E0.exe.330d900.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  0.2.27-00000E9E0.exe.330d900.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPasteDetects executables potentially checking for WinJail sandbox windowditekSHen
                  • 0x8860:$v1: SbieDll.dll
                  • 0x887a:$v2: USER
                  • 0x8886:$v3: SANDBOX
                  • 0x8898:$v4: VIRUS
                  • 0x88e8:$v4: VIRUS
                  • 0x88a6:$v5: MALWARE
                  • 0x88b8:$v6: SCHMIDTI
                  • 0x88cc:$v7: CURRENTUSER
                  Click to see the 29 entries
                  No Sigma rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: 5.0.27-00000E9E0.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "investwhore@bhgautopartes.com", "Password": "icui4cu2@@", "Host": "mail.bhgautopartes.com"}
                  Source: 27-00000E9E0.exeVirustotal: Detection: 34%Perma Link
                  Source: 27-00000E9E0.exeReversingLabs: Detection: 33%
                  Source: 27-00000E9E0.exeJoe Sandbox ML: detected
                  Source: 5.0.27-00000E9E0.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                  Source: 5.2.27-00000E9E0.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 5.0.27-00000E9E0.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                  Source: 5.0.27-00000E9E0.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                  Source: 5.0.27-00000E9E0.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                  Source: 5.0.27-00000E9E0.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                  Source: 27-00000E9E0.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: 27-00000E9E0.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: ObjRefSurroga.pdb source: 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: 27-00000E9E0.exe, 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: 27-00000E9E0.exe, 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://FTFSWX.com
                  Source: 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com
                  Source: 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com/
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: 27-00000E9E0.exe, 00000000.00000003.683456552.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: 27-00000E9E0.exe, 00000000.00000003.686582202.0000000006114000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.685888911.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.687053861.0000000006115000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.686282278.0000000006116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com(
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: 27-00000E9E0.exe, 00000000.00000003.692466481.000000000614D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: 27-00000E9E0.exe, 00000000.00000003.696228710.000000000614D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: 27-00000E9E0.exe, 00000000.00000002.725465953.0000000001A27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comionvq
                  Source: 27-00000E9E0.exe, 00000000.00000002.725465953.0000000001A27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: 27-00000E9E0.exe, 00000000.00000003.683216826.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683343499.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683097147.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683456552.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682834649.0000000006114000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682937399.0000000006114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: 27-00000E9E0.exe, 00000000.00000003.682834649.0000000006114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/c
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: 27-00000E9E0.exe, 00000000.00000003.683216826.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683343499.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683097147.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683456552.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682834649.0000000006114000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682937399.0000000006114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cned
                  Source: 27-00000E9E0.exe, 00000000.00000003.683216826.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683343499.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683097147.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683456552.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682834649.0000000006114000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682937399.0000000006114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnon
                  Source: 27-00000E9E0.exe, 00000000.00000003.704707741.0000000006146000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: 27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: 27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnH
                  Source: 27-00000E9E0.exe, 00000000.00000002.726779973.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000005.00000000.721819675.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: 27-00000E9E0.exe, 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary

                  barindex
                  Source: 0.2.27-00000E9E0.exe.435aec8.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.27-00000E9E0.exe.330d900.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                  Source: 5.0.27-00000E9E0.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 5.0.27-00000E9E0.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 5.0.27-00000E9E0.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 5.0.27-00000E9E0.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 5.2.27-00000E9E0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 5.0.27-00000E9E0.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.27-00000E9E0.exe.43256a8.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.27-00000E9E0.exe.338d08c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                  Source: 0.2.27-00000E9E0.exe.435aec8.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.27-00000E9E0.exe.43256a8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: Process Memory Space: 27-00000E9E0.exe PID: 5736, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 5.0.27-00000E9E0.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bE397C1FBu002dB73Eu002d4006u002dA846u002dA4E4F75E76D0u007d/E7E5FB49u002dE6F3u002d4432u002d9B62u002d7C118E53F82B.csLarge array initialization: .cctor: array initializer size 11769
                  Source: 5.2.27-00000E9E0.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE397C1FBu002dB73Eu002d4006u002dA846u002dA4E4F75E76D0u007d/E7E5FB49u002dE6F3u002d4432u002d9B62u002d7C118E53F82B.csLarge array initialization: .cctor: array initializer size 11769
                  Source: 5.0.27-00000E9E0.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bE397C1FBu002dB73Eu002d4006u002dA846u002dA4E4F75E76D0u007d/E7E5FB49u002dE6F3u002d4432u002d9B62u002d7C118E53F82B.csLarge array initialization: .cctor: array initializer size 11769
                  Source: 27-00000E9E0.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: 0.2.27-00000E9E0.exe.435aec8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.27-00000E9E0.exe.330d900.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                  Source: 5.0.27-00000E9E0.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 5.0.27-00000E9E0.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 5.0.27-00000E9E0.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 5.0.27-00000E9E0.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 5.2.27-00000E9E0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 5.0.27-00000E9E0.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.27-00000E9E0.exe.43256a8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.27-00000E9E0.exe.338d08c.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                  Source: 0.2.27-00000E9E0.exe.435aec8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.27-00000E9E0.exe.43256a8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: Process Memory Space: 27-00000E9E0.exe PID: 5736, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 0_2_017473680_2_01747368
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 0_2_0174735A0_2_0174735A
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 0_2_01749A3E0_2_01749A3E
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 0_2_032969900_2_03296990
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 0_2_03295F300_2_03295F30
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 0_2_0329258C0_2_0329258C
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 5_2_016D46A05_2_016D46A0
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 5_2_016D359C5_2_016D359C
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 5_2_016D45F05_2_016D45F0
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 5_2_016D45B05_2_016D45B0
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 5_2_016D46505_2_016D4650
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 5_2_016D46305_2_016D4630
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 5_2_016D53905_2_016D5390
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 5_2_016DD2E15_2_016DD2E1
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess Stats: CPU usage > 98%
                  Source: 27-00000E9E0.exe, 00000000.00000002.730120195.0000000007C50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000000.00000002.726779973.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMeFREEFmmVXrWPXhcQckrY.exe4 vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000000.00000002.726779973.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000000.00000002.726181155.000000000331C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameObjRefSurroga.exe4 vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000000.00000002.726181155.000000000331C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000000.00000002.726181155.000000000331C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000000.00000000.668448019.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameObjRefSurroga.exe4 vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000000.00000002.726312492.000000000338D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMeFREEFmmVXrWPXhcQckrY.exe4 vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000005.00000000.719655476.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameObjRefSurroga.exe4 vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000005.00000002.935213524.00000000016EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exe, 00000005.00000000.721927285.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMeFREEFmmVXrWPXhcQckrY.exe4 vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exeBinary or memory string: OriginalFilenameObjRefSurroga.exe4 vs 27-00000E9E0.exe
                  Source: 27-00000E9E0.exeVirustotal: Detection: 34%
                  Source: 27-00000E9E0.exeReversingLabs: Detection: 33%
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeFile read: C:\Users\user\Desktop\27-00000E9E0.exe:Zone.IdentifierJump to behavior
                  Source: 27-00000E9E0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\27-00000E9E0.exe "C:\Users\user\Desktop\27-00000E9E0.exe"
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess created: C:\Users\user\Desktop\27-00000E9E0.exe C:\Users\user\Desktop\27-00000E9E0.exe
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess created: C:\Users\user\Desktop\27-00000E9E0.exe C:\Users\user\Desktop\27-00000E9E0.exeJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\27-00000E9E0.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: 27-00000E9E0.exe, vz/cO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 27-00000E9E0.exe, vz/cO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.27-00000E9E0.exe.de0000.0.unpack, vz/cO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.27-00000E9E0.exe.de0000.0.unpack, vz/cO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.27-00000E9E0.exe.de0000.0.unpack, vz/cO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.27-00000E9E0.exe.de0000.0.unpack, vz/cO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 5.0.27-00000E9E0.exe.ed0000.13.unpack, vz/cO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 5.0.27-00000E9E0.exe.ed0000.13.unpack, vz/cO.csCryptographic APIs: 'CreateDecryptor'
                  Source: 5.0.27-00000E9E0.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 5.0.27-00000E9E0.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 27-00000E9E0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 27-00000E9E0.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: 27-00000E9E0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: ObjRefSurroga.pdb source: 27-00000E9E0.exe

                  Data Obfuscation

                  barindex
                  Source: 27-00000E9E0.exe, JM/jw.cs.Net Code: fpq System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.0.27-00000E9E0.exe.de0000.0.unpack, JM/jw.cs.Net Code: fpq System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.2.27-00000E9E0.exe.de0000.0.unpack, JM/jw.cs.Net Code: fpq System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 5.0.27-00000E9E0.exe.ed0000.13.unpack, JM/jw.cs.Net Code: fpq System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 5.0.27-00000E9E0.exe.ed0000.7.unpack, JM/jw.cs.Net Code: fpq System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 5.0.27-00000E9E0.exe.ed0000.2.unpack, JM/jw.cs.Net Code: fpq System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 5.0.27-00000E9E0.exe.ed0000.1.unpack, JM/jw.cs.Net Code: fpq System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 27-00000E9E0.exe, vz/cO.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 0.0.27-00000E9E0.exe.de0000.0.unpack, vz/cO.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 5.0.27-00000E9E0.exe.ed0000.13.unpack, vz/cO.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 5.0.27-00000E9E0.exe.ed0000.7.unpack, vz/cO.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 5.0.27-00000E9E0.exe.ed0000.2.unpack, vz/cO.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 5.0.27-00000E9E0.exe.ed0000.1.unpack, vz/cO.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeCode function: 0_2_01741C58 push ebx; iretd 0_2_01741C7A
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: Yara matchFile source: 0.2.27-00000E9E0.exe.330d900.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.27-00000E9E0.exe.338d08c.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.726312492.000000000338D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 27-00000E9E0.exe PID: 5316, type: MEMORYSTR
                  Source: 27-00000E9E0.exe, 00000000.00000002.726312492.000000000338D000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: 27-00000E9E0.exe, 00000000.00000002.726312492.000000000338D000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\27-00000E9E0.exe TID: 472Thread sleep time: -38044s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exe TID: 4612Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exe TID: 6940Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exe TID: 6476Thread sleep count: 5401 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exe TID: 6476Thread sleep count: 4415 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeWindow / User API: threadDelayed 5401Jump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeWindow / User API: threadDelayed 4415Jump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeThread delayed: delay time: 38044Jump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                  Source: 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: 27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeMemory written: C:\Users\user\Desktop\27-00000E9E0.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeProcess created: C:\Users\user\Desktop\27-00000E9E0.exe C:\Users\user\Desktop\27-00000E9E0.exeJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Users\user\Desktop\27-00000E9E0.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Users\user\Desktop\27-00000E9E0.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\27-00000E9E0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 0.2.27-00000E9E0.exe.435aec8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.27-00000E9E0.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.27-00000E9E0.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.27-00000E9E0.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.27-00000E9E0.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.27-00000E9E0.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.27-00000E9E0.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.27-00000E9E0.exe.43256a8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.27-00000E9E0.exe.435aec8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.27-00000E9E0.exe.43256a8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000000.721819675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000000.721345655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000000.722583580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.934679490.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000000.720835390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.726779973.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 27-00000E9E0.exe PID: 5316, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 27-00000E9E0.exe PID: 5736, type: MEMORYSTR
                  Source: Yara matchFile source: 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 27-00000E9E0.exe PID: 5736, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 0.2.27-00000E9E0.exe.435aec8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.27-00000E9E0.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.27-00000E9E0.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.27-00000E9E0.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.27-00000E9E0.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.27-00000E9E0.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.27-00000E9E0.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.27-00000E9E0.exe.43256a8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.27-00000E9E0.exe.435aec8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.27-00000E9E0.exe.43256a8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000000.721819675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000000.721345655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000000.722583580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.934679490.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000000.720835390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.726779973.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 27-00000E9E0.exe PID: 5316, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 27-00000E9E0.exe PID: 5736, type: MEMORYSTR
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation
                  Path Interception111
                  Process Injection
                  1
                  Masquerading
                  OS Credential Dumping211
                  Security Software Discovery
                  Remote Services11
                  Archive Collected Data
                  Exfiltration Over Other Network Medium1
                  Encrypted Channel
                  Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools
                  LSASS Memory1
                  Process Discovery
                  Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                  Virtualization/Sandbox Evasion
                  Security Account Manager131
                  Virtualization/Sandbox Evasion
                  SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection
                  NTDS1
                  Application Window Discovery
                  Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information
                  LSA Secrets113
                  System Information Discovery
                  SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Obfuscated Files or Information
                  Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items21
                  Software Packing
                  DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  27-00000E9E0.exe35%VirustotalBrowse
                  27-00000E9E0.exe33%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  27-00000E9E0.exe100%Joe Sandbox ML
                  No Antivirus matches
                  SourceDetectionScannerLabelLinkDownload
                  5.0.27-00000E9E0.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                  5.2.27-00000E9E0.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  5.0.27-00000E9E0.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                  5.0.27-00000E9E0.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                  5.0.27-00000E9E0.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                  5.0.27-00000E9E0.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://blog.iandreev.com/0%VirustotalBrowse
                  http://blog.iandreev.com/0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://blog.iandreev.com0%VirustotalBrowse
                  http://blog.iandreev.com0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com(0%Avira URL Cloudsafe
                  http://FTFSWX.com0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn/c0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.fontbureau.como0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.carterandcone.como.0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.zhongyicts.com.cnH0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://www.fontbureau.comionvq0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cned0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cnon0%Avira URL Cloudsafe
                  No contacted domains info
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.127-00000E9E0.exe, 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://www.apache.org/licenses/LICENSE-2.027-00000E9E0.exe, 00000000.00000003.683456552.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.fontbureau.com27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fontbureau.com/designersG27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.galapagosdesign.com/27-00000E9E0.exe, 00000000.00000003.704707741.0000000006146000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://DynDns.comDynDNS27-00000E9E0.exe, 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://blog.iandreev.com/27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.com/designers/?27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bThe27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha27-00000E9E0.exe, 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers?27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://blog.iandreev.com27-00000E9E0.exe, 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.tiro.com27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.goodfont.co.kr27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.com27-00000E9E0.exe, 00000000.00000003.686582202.0000000006114000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.685888911.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.687053861.0000000006115000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.686282278.0000000006116000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.com(27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              low
                              http://FTFSWX.com27-00000E9E0.exe, 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.carterandcone.coml27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.sajatypeworks.com27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.typography.netD27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/cabarga.htmlN27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.founder.com.cn/cn/cThe27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/staff/dennis.htm27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://fontfabrik.com27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cn27-00000E9E0.exe, 00000000.00000003.683216826.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683343499.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683097147.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683456552.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682834649.0000000006114000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682937399.0000000006114000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/frere-user.html27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designers/cabarga.html27-00000E9E0.exe, 00000000.00000003.696228710.000000000614D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cn/c27-00000E9E0.exe, 00000000.00000003.682834649.0000000006114000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.como27-00000E9E0.exe, 00000000.00000002.725465953.0000000001A27000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPlease27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers827-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.fonts.com27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.sandoll.co.kr27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deDPlease27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.zhongyicts.com.cn27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.carterandcone.como.27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.sakkal.com27-00000E9E0.exe, 00000000.00000002.729822672.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers/27-00000E9E0.exe, 00000000.00000003.692466481.000000000614D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.zhongyicts.com.cnH27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip27-00000E9E0.exe, 00000000.00000002.726779973.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000005.00000000.721819675.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.comionvq27-00000E9E0.exe, 00000000.00000002.725465953.0000000001A27000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.founder.com.cn/cned27-00000E9E0.exe, 00000000.00000003.683216826.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683343499.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683097147.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683456552.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682834649.0000000006114000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682937399.0000000006114000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.founder.com.cn/cnon27-00000E9E0.exe, 00000000.00000003.683216826.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683343499.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683097147.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683456552.0000000006117000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683647031.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682834649.0000000006114000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.683772046.0000000006116000.00000004.00000800.00020000.00000000.sdmp, 27-00000E9E0.exe, 00000000.00000003.682937399.0000000006114000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          No contacted IP infos
                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:562513
                                          Start date:28.01.2022
                                          Start time:23:35:14
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 8m 30s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:27-00000E9E0.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:16
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@3/1@0/0
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:
                                          • Successful, ratio: 1.3% (good quality ratio 0.9%)
                                          • Quality average: 54.4%
                                          • Quality standard deviation: 40.5%
                                          HCA Information:
                                          • Successful, ratio: 96%
                                          • Number of executed functions: 35
                                          • Number of non-executed functions: 4
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 51.104.136.2, 20.49.150.241
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, settingsfd-geo.trafficmanager.net
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          TimeTypeDescription
                                          23:36:33API Interceptor475x Sleep call for process: 27-00000E9E0.exe modified
                                          No context
                                          No context
                                          No context
                                          No context
                                          No context
                                          Process:C:\Users\user\Desktop\27-00000E9E0.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.593061145065494
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:27-00000E9E0.exe
                                          File size:866304
                                          MD5:8bb02aeba18edef4446fa923b0342709
                                          SHA1:d4cba8dd7b5f211571d50182017c94cca55760c4
                                          SHA256:acb77cf0d80fc513aa1d6bbb098615fe73bac7ab4791d9d52958923f19bd517d
                                          SHA512:29afd6946f670d04c507e1fdd51631604c1e004631065c6afcaf3e93cc7db855ce7c830d6b34670bc6e4ca5f1914ecbf51e549a7c3404b1e24cb28315242bf0d
                                          SSDEEP:12288:FpDISo98n3oFAyxptJY8RzZiBQnP+Rtfh9AS88hvpM37:F97oqByHXCQnPiaS67
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................*...........I... ...`....@.. ....................................@................................
                                          Icon Hash:00828e8e8686b000
                                          Entrypoint:0x4d49de
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61F3FAB7 [Fri Jan 28 14:16:23 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd49900x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x5b8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xd49420x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xd29e40xd2a00False0.52078078635data6.59843195103IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .sdata0xd60000x1e80x200False0.861328125data6.65431139161IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .rsrc0xd80000x5b80x600False0.426432291667data4.11442717519IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xda0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xd80a00x32cdata
                                          RT_MANIFEST0xd83cc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                          DLLImport
                                          mscoree.dll_CorExeMain
                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2016
                                          Assembly Version1.0.0.0
                                          InternalNameObjRefSurroga.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameOthelloCS
                                          ProductVersion1.0.0.0
                                          FileDescriptionOthelloCS
                                          OriginalFilenameObjRefSurroga.exe
                                          No network behavior found

                                          Click to jump to process

                                          Click to jump to process

                                          Click to dive into process behavior distribution

                                          Click to jump to process

                                          Target ID:0
                                          Start time:23:36:10
                                          Start date:28/01/2022
                                          Path:C:\Users\user\Desktop\27-00000E9E0.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\27-00000E9E0.exe"
                                          Imagebase:0xde0000
                                          File size:866304 bytes
                                          MD5 hash:8BB02AEBA18EDEF4446FA923B0342709
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.725978446.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.726312492.000000000338D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.726779973.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.726779973.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          Target ID:5
                                          Start time:23:36:34
                                          Start date:28/01/2022
                                          Path:C:\Users\user\Desktop\27-00000E9E0.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\27-00000E9E0.exe
                                          Imagebase:0xed0000
                                          File size:866304 bytes
                                          MD5 hash:8BB02AEBA18EDEF4446FA923B0342709
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.721819675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.721819675.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.721345655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.721345655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.722583580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.722583580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.934679490.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.934679490.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.720835390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.720835390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000005.00000002.935514676.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:9.1%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:4.3%
                                            Total number of Nodes:93
                                            Total number of Limit Nodes:9
                                            execution_graph 19188 3292678 DuplicateHandle 19189 329270e 19188->19189 19190 32966b8 19191 3296720 CreateWindowExW 19190->19191 19193 32967dc 19191->19193 19219 3292048 GetCurrentProcess 19220 32920c2 GetCurrentThread 19219->19220 19223 32920bb 19219->19223 19221 32920f8 19220->19221 19222 32920ff GetCurrentProcess 19220->19222 19221->19222 19224 3292135 19222->19224 19223->19220 19225 329215d GetCurrentThreadId 19224->19225 19226 329218e 19225->19226 19183 329026a 19184 32901fe LoadLibraryExW 19183->19184 19187 329026e 19183->19187 19186 3290239 19184->19186 19227 139d01c 19228 139d034 19227->19228 19229 139d08e 19228->19229 19234 3296870 19228->19234 19238 329438c 19228->19238 19246 3297558 19228->19246 19254 3296863 19228->19254 19235 3296871 19234->19235 19236 329438c 2 API calls 19235->19236 19237 32968b7 19236->19237 19237->19229 19240 3294397 19238->19240 19239 32975c9 19268 32944b4 19239->19268 19240->19239 19242 32975b9 19240->19242 19258 32976e1 19242->19258 19263 32976f0 19242->19263 19243 32975c7 19249 329755c 19246->19249 19247 32975c9 19248 32944b4 2 API calls 19247->19248 19251 32975c7 19248->19251 19249->19247 19250 32975b9 19249->19250 19252 32976e1 2 API calls 19250->19252 19253 32976f0 2 API calls 19250->19253 19252->19251 19253->19251 19255 329686a 19254->19255 19256 329438c 2 API calls 19255->19256 19257 32968b7 19256->19257 19257->19229 19260 32976ea 19258->19260 19259 3297790 19259->19243 19275 32977a8 19260->19275 19278 3297798 19260->19278 19265 32976f1 19263->19265 19264 3297790 19264->19243 19266 32977a8 2 API calls 19265->19266 19267 3297798 2 API calls 19265->19267 19266->19264 19267->19264 19269 32944bf 19268->19269 19270 3298d5c 19269->19270 19271 3298cb2 19269->19271 19272 329438c CallWindowProcW 19270->19272 19273 3298d0a CallWindowProcW 19271->19273 19274 3298cb9 19271->19274 19272->19274 19273->19274 19274->19243 19276 32977b9 19275->19276 19281 3298c40 19275->19281 19276->19259 19279 32977b9 19278->19279 19280 3298c40 2 API calls 19278->19280 19279->19259 19280->19279 19282 3298c44 19281->19282 19283 32944b4 CallWindowProcW 19282->19283 19284 3298c56 19283->19284 19284->19276 19285 3298d5c 19284->19285 19286 3298cb2 19284->19286 19287 329438c CallWindowProcW 19285->19287 19288 3298d0a CallWindowProcW 19286->19288 19289 3298cb9 19286->19289 19287->19289 19288->19289 19289->19276 19290 3296990 19291 3296931 SetWindowLongW 19290->19291 19293 329699e 19290->19293 19292 329696c 19291->19292 19194 174fe68 19195 174feb0 GetModuleHandleW 19194->19195 19196 174feaa 19194->19196 19197 174fedd 19195->19197 19196->19195 19198 17440e8 19200 17440ff 19198->19200 19199 1744188 19200->19199 19202 1744270 19200->19202 19203 1744280 19202->19203 19207 1744370 19203->19207 19211 1744361 19203->19211 19208 1744397 19207->19208 19210 1744474 19208->19210 19215 1743e58 19208->19215 19212 174436e 19211->19212 19213 1744474 19212->19213 19214 1743e58 CreateActCtxA 19212->19214 19214->19213 19216 1745400 CreateActCtxA 19215->19216 19218 17454c3 19216->19218
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 0329695D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 4d10dba51248bd10801b13701569890b4a306414db2cc14118d9eb2a756ff26a
                                            • Instruction ID: 65bf46577fe622b53e3d64b994d6835d32c5e4f8a68ed6343975acdf5b4baf2e
                                            • Opcode Fuzzy Hash: 4d10dba51248bd10801b13701569890b4a306414db2cc14118d9eb2a756ff26a
                                            • Instruction Fuzzy Hash: 0BB1CF35E1031ACFDF04DBA4D8549DDBBBAFF89310F14825AE415AB3A4DB74A885CB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de8afd585d0761818fdc4ab2c73c9549b6ac2c7fb081288e209537ff2be93cda
                                            • Instruction ID: 6b412db099346f61264edb73ab4c1384cfd22ecf91240c114dfb06ed285d89ec
                                            • Opcode Fuzzy Hash: de8afd585d0761818fdc4ab2c73c9549b6ac2c7fb081288e209537ff2be93cda
                                            • Instruction Fuzzy Hash: 84B1CD74A007068FCB14EF79C4906AEBBF1BF88214B14896EC44ADB751DB34EC46CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 032920A8
                                            • GetCurrentThread.KERNEL32 ref: 032920E5
                                            • GetCurrentProcess.KERNEL32 ref: 03292122
                                            • GetCurrentThreadId.KERNEL32 ref: 0329217B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 5cd589b4cb608edf4fb5273b89296e005166be83c67d14643edf8cff1e798a2a
                                            • Instruction ID: cd85804cd7c79bdc3430d157f4a6e13af459580bac07737cf4ceb97a3ccfad28
                                            • Opcode Fuzzy Hash: 5cd589b4cb608edf4fb5273b89296e005166be83c67d14643edf8cff1e798a2a
                                            • Instruction Fuzzy Hash: F35164B0A00749DFDB14CFAAD5487DEBBF1EF88314F24845AE419A7251DB349884CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 032920A8
                                            • GetCurrentThread.KERNEL32 ref: 032920E5
                                            • GetCurrentProcess.KERNEL32 ref: 03292122
                                            • GetCurrentThreadId.KERNEL32 ref: 0329217B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 67435f9b44c728a9629f53d7549280c664e71f6eee8a3329592fa2d0551ad170
                                            • Instruction ID: 316d5033c2ed21acd03373510462ad8f71d64c98c61fc05a279061c84f3cb81c
                                            • Opcode Fuzzy Hash: 67435f9b44c728a9629f53d7549280c664e71f6eee8a3329592fa2d0551ad170
                                            • Instruction Fuzzy Hash: 435142B0A00709DFDB14DFAAD548B9EBBF1EF88304F24845AE419B7351DB749884CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 032967CA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 35aff48b00525236ef1b9a6820fc5c18fa55a6dac44a862883f611de3ea6b397
                                            • Instruction ID: b81670b2607b76c4793537524392f4fe92b5d13969fad3ab8a9aff4d8de94a94
                                            • Opcode Fuzzy Hash: 35aff48b00525236ef1b9a6820fc5c18fa55a6dac44a862883f611de3ea6b397
                                            • Instruction Fuzzy Hash: 7951BFB1D102099FDF14CFAAD884ADEBBF5FF48314F24852AE819AB210D7749885CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 032967CA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 985c6198fdcc4a35788d62f107f39eb1f091844b2520884b936789094043dc85
                                            • Instruction ID: d896a32e688000da194a77759b5308c5be5407d6d4fed72c75798e12c3415cca
                                            • Opcode Fuzzy Hash: 985c6198fdcc4a35788d62f107f39eb1f091844b2520884b936789094043dc85
                                            • Instruction Fuzzy Hash: C1418DB1D10209AFDF14CF9AD884ADEBBF5FF48314F24852AE819AB210D7749985CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 017454B1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725193919.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1740000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: b96e036fee9d8a4ef5ca29df554863618df8a8ea6ea128968db66985149967d6
                                            • Instruction ID: 7a9d7d6f4fdae18ab170c52f63ccb9d0e45ffab5a419f29cb663bd4b9767c05f
                                            • Opcode Fuzzy Hash: b96e036fee9d8a4ef5ca29df554863618df8a8ea6ea128968db66985149967d6
                                            • Instruction Fuzzy Hash: D741F3B1D00619CFDB24CFAAC9847DEFBB6BF48304F248069D418AB251DB75694ACF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 03298D31
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 42ad72cda2d69078c13a2b0e61e415fdd3ac10513192a25daff32dc4936911d9
                                            • Instruction ID: 19aec3d31aedf43c49e4e8bbe83cac4272eda78337df8755900338ef4f44c3b3
                                            • Opcode Fuzzy Hash: 42ad72cda2d69078c13a2b0e61e415fdd3ac10513192a25daff32dc4936911d9
                                            • Instruction Fuzzy Hash: 43413AB5A10705CFDB14CF99C448AAAFBF5FF99314F188459D419AB321D774A881CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 017454B1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725193919.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1740000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 4390decc558ca698b62f314f6b0a3d64057c1b29e88a0e7ef5c070782c2694bb
                                            • Instruction ID: c32dbf08994af2bed758f338c1822d4eb54297c947297953e3cfe35fa4752e13
                                            • Opcode Fuzzy Hash: 4390decc558ca698b62f314f6b0a3d64057c1b29e88a0e7ef5c070782c2694bb
                                            • Instruction Fuzzy Hash: 1B41D1B0D00619CFDB24DFAAC844BDEFBB6BF48304F208069E418AB251DB756949CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 032926FF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: baeb0ef855ad505fae203ae07de24077d797ff249b9c550f10a17b1175f06aab
                                            • Instruction ID: 4f258902a9225eb39d23ffd8ddd2ffe9849e8e20bd345342f467aff729e0dee4
                                            • Opcode Fuzzy Hash: baeb0ef855ad505fae203ae07de24077d797ff249b9c550f10a17b1175f06aab
                                            • Instruction Fuzzy Hash: D62113B5900349EFDB10CFAAD884ADEFBF4EB48324F14841AE914A7310D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 032926FF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: b75b6993795a951c6b6a613b6775db972cc0d60fa0a781fa64fb4c1bb53aa581
                                            • Instruction ID: 2fb7fa7b9ab247cb225b1240099636e54547b828f470b0e820090b34b810ef91
                                            • Opcode Fuzzy Hash: b75b6993795a951c6b6a613b6775db972cc0d60fa0a781fa64fb4c1bb53aa581
                                            • Instruction Fuzzy Hash: C821C2B5900209EFDB10CFAAD884ADEFBF9FB48324F14841AE914A7310D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0329022A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 1e981c793eca579c9b39bf339f8e534d45ec07503286d39e85dc22b986a04e7b
                                            • Instruction ID: 8ef70edcbad0aec34d2d18b7fbcb3e5c267759940ad831084115d8eec870daaa
                                            • Opcode Fuzzy Hash: 1e981c793eca579c9b39bf339f8e534d45ec07503286d39e85dc22b986a04e7b
                                            • Instruction Fuzzy Hash: 392114B2D003099FDB10CFAAD484ADEFBF4EB89320F14841AE419AB200C374A545CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0329022A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: dc059bf5d3c4959015b64a7ddb37cc1016a311621f1c0b1609a013cc5e3c7bbe
                                            • Instruction ID: 04032f0e3424bbcb0c9c27913a778e56e69be7e7638669b264d57038546a5c16
                                            • Opcode Fuzzy Hash: dc059bf5d3c4959015b64a7ddb37cc1016a311621f1c0b1609a013cc5e3c7bbe
                                            • Instruction Fuzzy Hash: C01104B6D003099FDB10CF9AD444BDEFBF4EB88324F14842AD419A7200C774A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0174FECE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725193919.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1740000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 0681523e02cf385c11821f3135d960887d9a86c5648c3b9f09770e690c62745c
                                            • Instruction ID: 359f9178edcc6ba10f247f1b6768655a2b52fb776a963d5948efba25cb776845
                                            • Opcode Fuzzy Hash: 0681523e02cf385c11821f3135d960887d9a86c5648c3b9f09770e690c62745c
                                            • Instruction Fuzzy Hash: 01111DB6C006098FDB20CF9AD444BDFFBF5EF88624F14842AD929A7600D378A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0329022A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: d1c68b6d58e89fbadfcf2d08f9ff8418362d1b7b6e771fb3d7c711abb7525f7b
                                            • Instruction ID: 33c447c1b619c64e8b7863a33c24a387279f74b7e43e36fefcea2cffcf2a9ead
                                            • Opcode Fuzzy Hash: d1c68b6d58e89fbadfcf2d08f9ff8418362d1b7b6e771fb3d7c711abb7525f7b
                                            • Instruction Fuzzy Hash: 1B019E76D102099FEF14CB99D4447DEFBF4AF89324F08801AE518AB610C375A884CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 0329695D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 7138167f1629ad3677000139c97a27f90792d451d767d52b10cc2e44086e4a99
                                            • Instruction ID: 373716abbe37b54fc7f896ea55b8ff8d694a4e68717c20bef43be7665f68cb80
                                            • Opcode Fuzzy Hash: 7138167f1629ad3677000139c97a27f90792d451d767d52b10cc2e44086e4a99
                                            • Instruction Fuzzy Hash: 3611E2B59006099FDB10DF9AD484BDFFBF8EB88324F14841AD959A7300D374A944CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.724616073.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_138d000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb21041ecff8344d970730aa1bc224794b7ae329d935e6ec837001bf76cbbbf3
                                            • Instruction ID: 4881444862173faf0d31f33b3e7e0aac4817981740b7294faf716b21570b2433
                                            • Opcode Fuzzy Hash: bb21041ecff8344d970730aa1bc224794b7ae329d935e6ec837001bf76cbbbf3
                                            • Instruction Fuzzy Hash: 12214871104344DFDB05EF48D8C0B67BF65FB84328F20C569E9091B686C736E856C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.724665610.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_139d000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bfb1988f0672c93a285579869b9eeb3186558eba1e2210c7250c1c8155c14b48
                                            • Instruction ID: 4b498f3391a8bf740e9e7efba72b753da00d2b7101758c11d8532a04ff22f964
                                            • Opcode Fuzzy Hash: bfb1988f0672c93a285579869b9eeb3186558eba1e2210c7250c1c8155c14b48
                                            • Instruction Fuzzy Hash: C7212271504204DFDF15DFA8D8C5B16BBA9FB88368F20C969D80A4B346C33AD847CA62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.724616073.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_138d000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                                            • Instruction ID: 7ed10cd02ae7d8d10b3b8add079475a81fa3ed62c0b1777dded4f80b2ef9ce1e
                                            • Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                                            • Instruction Fuzzy Hash: 1C11E176404280CFCF12DF48D5C4B56BF72FB84324F24C6A9D8080B656C336E45ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.724665610.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_139d000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                                            • Instruction ID: 09ff26764c7e84bf9a09f908948a1c42c3a0fbd712cd15be6128b5730bd86e9d
                                            • Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                                            • Instruction Fuzzy Hash: 0E118B75504280DFDF12CF58D5C4B16BFA1FB84328F28C6AAD8494B756C33AD45ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.724616073.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_138d000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b25d8efffdc6a59d5575f5af5a292040a9c788b48b7841f93b2b4678c5e4239f
                                            • Instruction ID: bc2bdd80bc02d2de49c0f0dc26a324602ed78afd60c2846ea28189c817da84ef
                                            • Opcode Fuzzy Hash: b25d8efffdc6a59d5575f5af5a292040a9c788b48b7841f93b2b4678c5e4239f
                                            • Instruction Fuzzy Hash: 4301A771418344AAE7156B99D884767FF9CEF45228F08C459ED0C5A682D7789844CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.724616073.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_138d000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1271c11d5d1e0fe5ac6c6191307632766514a40ff49f0fb7dd53c1fc9c3652c4
                                            • Instruction ID: 56f1e435a79f6ca66c95996bfb600a164d1b693cb5a5ec0e10f9233e1897a8cd
                                            • Opcode Fuzzy Hash: 1271c11d5d1e0fe5ac6c6191307632766514a40ff49f0fb7dd53c1fc9c3652c4
                                            • Instruction Fuzzy Hash: 87F06271404384AEEB119B59CCC4BA2FFA8EB41638F18C45AED1C5B286C3799844CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725193919.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1740000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UUUU$^
                                            • API String ID: 0-4142790338
                                            • Opcode ID: 8abe014feb3337c1c8db7b8b7821b2a96e8b602fbd11c9bf4f2c0d3411ed6c49
                                            • Instruction ID: 97384599372f6e8e14ab74e1753923378688f3a7f7d797327a9b6b689a2cd1ab
                                            • Opcode Fuzzy Hash: 8abe014feb3337c1c8db7b8b7821b2a96e8b602fbd11c9bf4f2c0d3411ed6c49
                                            • Instruction Fuzzy Hash: 74515C74E116288FEBA4CFADC884B8DBBF1BB48304F5481AAD05CE7215DB349A85CF15
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725915884.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3290000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0abd3c3d61515ce5369f5246e4d68996f7411b4b5cb3aa8bf66abbe759c5e39
                                            • Instruction ID: 268d00572552e8952c2c15023ca2abd3164da461d4ceddde24ccb0d3bb887261
                                            • Opcode Fuzzy Hash: a0abd3c3d61515ce5369f5246e4d68996f7411b4b5cb3aa8bf66abbe759c5e39
                                            • Instruction Fuzzy Hash: 48A19036E1070ACFDF15EFA6C8445DDB7B6FF85300B15816AE805BB220EB71A996CB40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725193919.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1740000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 360561a7697e9e42de77841a80794123d2b1f7de4f0f46fe5085ad241ab88303
                                            • Instruction ID: 10eb9502ba10caf14d3d86dbdae9c278265c72db11c7d9f6a13fa75b8b7b29b4
                                            • Opcode Fuzzy Hash: 360561a7697e9e42de77841a80794123d2b1f7de4f0f46fe5085ad241ab88303
                                            • Instruction Fuzzy Hash: F2516DB0A10249CFDB44DFBDE55469EBBB6FF88308F04C829C504AB364EB359906DB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.725193919.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1740000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b45e27bc097bd37470465ce60824bee8f920370e9ac05aeb8e651b18bb6f069
                                            • Instruction ID: 6ba4699801d098e183c71a38b71913d50ef2b5db18e081464e22e1f83cd62064
                                            • Opcode Fuzzy Hash: 5b45e27bc097bd37470465ce60824bee8f920370e9ac05aeb8e651b18bb6f069
                                            • Instruction Fuzzy Hash: 45515CB0A14249CFDB44EFB9E55469EBBB6FB88308F04C829C504AB364DB759906DB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:10.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:83
                                            Total number of Limit Nodes:7
                                            execution_graph 14560 16d6b68 DuplicateHandle 14561 16d6bfe 14560->14561 14611 167d01c 14612 167d034 14611->14612 14613 167d08e 14612->14613 14618 16d7b5f 14612->14618 14627 16d3574 14612->14627 14635 16d5238 14612->14635 14639 16d5248 14612->14639 14619 16d7b03 14618->14619 14620 16d7b74 14618->14620 14621 16d7bf1 14620->14621 14623 16d7be1 14620->14623 14651 16d7780 14621->14651 14643 16d7d08 14623->14643 14647 16d7d18 14623->14647 14624 16d7bef 14628 16d357f 14627->14628 14629 16d7bf1 14628->14629 14631 16d7be1 14628->14631 14630 16d7780 CallWindowProcW 14629->14630 14632 16d7bef 14630->14632 14633 16d7d08 CallWindowProcW 14631->14633 14634 16d7d18 CallWindowProcW 14631->14634 14633->14632 14634->14632 14636 16d526e 14635->14636 14637 16d3574 CallWindowProcW 14636->14637 14638 16d528f 14637->14638 14638->14613 14640 16d526e 14639->14640 14641 16d3574 CallWindowProcW 14640->14641 14642 16d528f 14641->14642 14642->14613 14645 16d7d0d 14643->14645 14644 16d7780 CallWindowProcW 14644->14645 14645->14644 14646 16d7cc8 14645->14646 14646->14624 14648 16d7d19 14647->14648 14649 16d7780 CallWindowProcW 14648->14649 14650 16d7e1b 14648->14650 14649->14648 14650->14624 14652 16d778b 14651->14652 14653 16d7eea CallWindowProcW 14652->14653 14654 16d7e99 14652->14654 14653->14654 14654->14624 14562 16db761 14563 16db76a 14562->14563 14564 16db702 14562->14564 14567 16db94a 14564->14567 14565 16db71d 14568 16db953 14567->14568 14573 16dbb2c 14567->14573 14577 16dba30 14567->14577 14581 16dbb46 14567->14581 14585 16dba1f 14567->14585 14568->14565 14574 16dbadf 14573->14574 14574->14573 14575 16dbb6b 14574->14575 14589 16dbe27 14574->14589 14578 16dba74 14577->14578 14579 16dbb6b 14578->14579 14580 16dbe27 2 API calls 14578->14580 14580->14579 14582 16dbb59 14581->14582 14583 16dbb6b 14581->14583 14584 16dbe27 2 API calls 14582->14584 14584->14583 14586 16dba30 14585->14586 14587 16dbb6b 14586->14587 14588 16dbe27 2 API calls 14586->14588 14588->14587 14590 16dbe46 14589->14590 14594 16dbe79 14590->14594 14598 16dbe88 14590->14598 14591 16dbe56 14591->14575 14595 16dbe88 14594->14595 14596 16dbeec RtlEncodePointer 14595->14596 14597 16dbf15 14595->14597 14596->14597 14597->14591 14599 16dbe8d 14598->14599 14600 16dbeec RtlEncodePointer 14599->14600 14601 16dbf15 14599->14601 14600->14601 14601->14591 14602 16d6940 14603 16d6941 GetCurrentProcess 14602->14603 14604 16d69ba GetCurrentThread 14603->14604 14605 16d69b3 14603->14605 14606 16d69f7 GetCurrentProcess 14604->14606 14607 16d69f0 14604->14607 14605->14604 14608 16d6a2d 14606->14608 14607->14606 14609 16d6a55 GetCurrentThreadId 14608->14609 14610 16d6a86 14609->14610 14655 16d5090 14656 16d5095 CreateWindowExW 14655->14656 14658 16d51b4 14656->14658

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 016D69A0
                                            • GetCurrentThread.KERNEL32 ref: 016D69DD
                                            • GetCurrentProcess.KERNEL32 ref: 016D6A1A
                                            • GetCurrentThreadId.KERNEL32 ref: 016D6A73
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935176185.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_16d0000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 62d52792eae94bd3b5422f37c1658ae5c27e4fbbd22ff50023d5bb5100fc2e58
                                            • Instruction ID: 64273d0edf47434b8b1f98e3d20c04ba4ac4696715475858ca76ba7f258ab003
                                            • Opcode Fuzzy Hash: 62d52792eae94bd3b5422f37c1658ae5c27e4fbbd22ff50023d5bb5100fc2e58
                                            • Instruction Fuzzy Hash: FE61ADB0D093858FDB06CFA9D858BDEBFF1AF49314F15849AD058AB362D7345848CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 016D69A0
                                            • GetCurrentThread.KERNEL32 ref: 016D69DD
                                            • GetCurrentProcess.KERNEL32 ref: 016D6A1A
                                            • GetCurrentThreadId.KERNEL32 ref: 016D6A73
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935176185.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_16d0000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 00575b035fc819307d89a1ffd11132ddc46d8acf7d7cdf11d435d3b3ba669d79
                                            • Instruction ID: 153222601d3e189eef067536fbf8d4a5dbffd2d6910076654af584258bdea200
                                            • Opcode Fuzzy Hash: 00575b035fc819307d89a1ffd11132ddc46d8acf7d7cdf11d435d3b3ba669d79
                                            • Instruction Fuzzy Hash: 395133B0D006498FDB14CFAAD948BDEBBF1BF88314F248459E419A7360DB349845CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 50 16d5084-16d508e 51 16d5095-16d50f6 50->51 52 16d5090-16d5094 50->52 53 16d50f8-16d50fe 51->53 54 16d5101-16d5108 51->54 52->51 53->54 55 16d510a-16d5110 54->55 56 16d5113-16d514b 54->56 55->56 57 16d5153-16d51b2 CreateWindowExW 56->57 58 16d51bb-16d51f3 57->58 59 16d51b4-16d51ba 57->59 63 16d51f5-16d51f8 58->63 64 16d5200 58->64 59->58 63->64 65 16d5201 64->65 65->65
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016D51A2
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935176185.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_16d0000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: c973137677dd3c2cca4ff28bf9a5753f3fba17c9bc75886f35c0252599dcda06
                                            • Instruction ID: e9589a360245d3ed5d9534a8ba96b02c1227327a495724bee35be32388e6f38e
                                            • Opcode Fuzzy Hash: c973137677dd3c2cca4ff28bf9a5753f3fba17c9bc75886f35c0252599dcda06
                                            • Instruction Fuzzy Hash: 2E51DFB1D00349DFDB14CFAAC884ADEBFB5BF48314F64812AE819AB210D774A845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 66 16d5090-16d50f6 68 16d50f8-16d50fe 66->68 69 16d5101-16d5108 66->69 68->69 70 16d510a-16d5110 69->70 71 16d5113-16d51b2 CreateWindowExW 69->71 70->71 73 16d51bb-16d51f3 71->73 74 16d51b4-16d51ba 71->74 78 16d51f5-16d51f8 73->78 79 16d5200 73->79 74->73 78->79 80 16d5201 79->80 80->80
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016D51A2
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935176185.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_16d0000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 9f1557e78308533fe79f3b995273c04d223dc4037709676571b8b6c04c3f4307
                                            • Instruction ID: f501d727ce0e6aed61f8c6e84f9afd6411e8dbe2964251df0d82d8bef29b863e
                                            • Opcode Fuzzy Hash: 9f1557e78308533fe79f3b995273c04d223dc4037709676571b8b6c04c3f4307
                                            • Instruction Fuzzy Hash: F641AFB1D10349DFDB14CFAAC884ADEBFB5BF88314F64852AE819AB210D7749945CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 81 16d7780-16d7e8c 85 16d7f3c-16d7f5c call 16d3574 81->85 86 16d7e92-16d7e97 81->86 94 16d7f5f-16d7f6c 85->94 87 16d7e99-16d7ed0 86->87 88 16d7eea-16d7f22 CallWindowProcW 86->88 95 16d7ed9-16d7ee8 87->95 96 16d7ed2-16d7ed8 87->96 90 16d7f2b-16d7f3a 88->90 91 16d7f24-16d7f2a 88->91 90->94 91->90 95->94 96->95
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 016D7F11
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935176185.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_16d0000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: a1e024e562d87280a505651d94324d8336b7997d264114e3c46e3a76daec7d1d
                                            • Instruction ID: 08f611937d6890a45da4a1a3f71408aa7e3f015edebaabfe0ba74f42ff5dc3aa
                                            • Opcode Fuzzy Hash: a1e024e562d87280a505651d94324d8336b7997d264114e3c46e3a76daec7d1d
                                            • Instruction Fuzzy Hash: 0C413DB4900205CFDB14CF99C848AAABBF5FF88314F14C459E519A7321D775A841CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 99 16d6b63 100 16d6b68-16d6bfc DuplicateHandle 99->100 101 16d6bfe-16d6c04 100->101 102 16d6c05-16d6c22 100->102 101->102
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016D6BEF
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935176185.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_16d0000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 6bf7c5a56998f638b5ca88c6a31553d25bab14cf373c6dcf91d92e98d755fd9e
                                            • Instruction ID: cb3b794880a9bd8a846e5cc70f0341b338f4cb3ef8e12d0458e48a22dd376128
                                            • Opcode Fuzzy Hash: 6bf7c5a56998f638b5ca88c6a31553d25bab14cf373c6dcf91d92e98d755fd9e
                                            • Instruction Fuzzy Hash: 5221E0B5D00249AFDB10CFAAD984ADEBBF8EB48320F14841AE914A3310D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 105 16d6b68-16d6bfc DuplicateHandle 106 16d6bfe-16d6c04 105->106 107 16d6c05-16d6c22 105->107 106->107
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016D6BEF
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935176185.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_16d0000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 61eb20373c15acd65fe5029b7e2249be133989c7f3d907e4ce2a7b7cc16a9071
                                            • Instruction ID: 16bf6addd1bf824366355cb34c728938b0f01177993e123269a2167fa8ff8573
                                            • Opcode Fuzzy Hash: 61eb20373c15acd65fe5029b7e2249be133989c7f3d907e4ce2a7b7cc16a9071
                                            • Instruction Fuzzy Hash: 9721C2B5D002499FDB10CFAAD984ADEFBF8EB48324F14841AE914A7310D774A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 110 16dbe79-16dbe86 111 16dbe8d-16dbeca call 16dbf60 110->111 112 16dbe88-16dbe8c 110->112 115 16dbecc-16dbece 111->115 116 16dbed0 111->116 112->111 117 16dbed5-16dbee0 115->117 116->117 118 16dbf41-16dbf4e 117->118 119 16dbee2-16dbf13 RtlEncodePointer 117->119 121 16dbf1c-16dbf3c 119->121 122 16dbf15-16dbf1b 119->122 121->118 122->121
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 016DBF02
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935176185.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_16d0000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: a791750637e6f480395278a1f8417326137149556e05c8da27e2795a90ff4546
                                            • Instruction ID: 37b4e2c007547a3dc2cf9c787ff25bc521137f63adc2d8b0a22c56550f8d6b64
                                            • Opcode Fuzzy Hash: a791750637e6f480395278a1f8417326137149556e05c8da27e2795a90ff4546
                                            • Instruction Fuzzy Hash: A42186B1D013458FDB11DFAAD80878ABFF8EB49314F14892ED404A3241D7396808CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 125 16dbe88-16dbeca call 16dbf60 129 16dbecc-16dbece 125->129 130 16dbed0 125->130 131 16dbed5-16dbee0 129->131 130->131 132 16dbf41-16dbf4e 131->132 133 16dbee2-16dbf13 RtlEncodePointer 131->133 135 16dbf1c-16dbf3c 133->135 136 16dbf15-16dbf1b 133->136 135->132 136->135
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 016DBF02
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935176185.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_16d0000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: d42b8bd71d1453700228592d9cc95d5f4f4408d81a23d076a5f8f3180317c1b0
                                            • Instruction ID: 9df30107f52115e85e22a8fa79ef04b1f22d2af205d60c81f215c3f7f8af173e
                                            • Opcode Fuzzy Hash: d42b8bd71d1453700228592d9cc95d5f4f4408d81a23d076a5f8f3180317c1b0
                                            • Instruction Fuzzy Hash: D61186B1D013098FDB10DFAAD84878ABFF8EB49314F24882DD404A7341CB7AA9458FA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.934992584.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_155d000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7713924f37d69766bb1ca5b4b9c028826de1f4d379c5e0ce198bf5c7630b4961
                                            • Instruction ID: 56488cc295c509ae2f2fc7c1b4310eb0180b368c55ef44198c329db39b770865
                                            • Opcode Fuzzy Hash: 7713924f37d69766bb1ca5b4b9c028826de1f4d379c5e0ce198bf5c7630b4961
                                            • Instruction Fuzzy Hash: 7F2106B2504244DFDB46DF94D8D0B1ABFB5FB84328F24896AEC054F246C336D856C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935050355.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_167d000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6018d1433a07eb543decaf9203d505df4812b4544ee0a9529e9be75bd19bc810
                                            • Instruction ID: 4b502f8e2a5c9cec2ee96d4ecf60c9906485b6f3fa39ff59f970117f9fcab3a1
                                            • Opcode Fuzzy Hash: 6018d1433a07eb543decaf9203d505df4812b4544ee0a9529e9be75bd19bc810
                                            • Instruction Fuzzy Hash: 8E212275504200DFCB16DFA4DCC4B16BBA5FF88364F24C969D80A4B346C33AD857CA62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.934992584.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_155d000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                                            • Instruction ID: f72f42916f1889ba44c300fc297d3ff9ad217964c382844da84e2cdef1b86899
                                            • Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                                            • Instruction Fuzzy Hash: 4C11AF76404280CFCB12CF54D5D4B1ABF72FB84324F2486AADC094F656C336D45ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.935050355.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_167d000_27-00000E9E0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                                            • Instruction ID: 60abb70b1e937dd414cd9bae5397861152aca0ece9dc94715775ac0975f76ef5
                                            • Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                                            • Instruction Fuzzy Hash: AE118B75504280DFDB12CF54D9C4B16BFA1FB84324F28CAAAD8494B756C33AD45ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%