Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6iCD4aFtyn.exe

Overview

General Information

Sample Name:6iCD4aFtyn.exe
Analysis ID:604234
MD5:a51e8dfe9b216175acbc225de1ceb0f5
SHA1:36d347c6139c66656becec8bf698b1d6281b5b5f
SHA256:7b29b24825a35a5d19c29cc434143b3f2937acbb86b959f86a3945f13264e84e
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Sigma detected: Suspicious Outbound SMTP Connections
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 6iCD4aFtyn.exe (PID: 4968 cmdline: "C:\Users\user\Desktop\6iCD4aFtyn.exe" MD5: A51E8DFE9B216175ACBC225DE1CEB0F5)
    • 6iCD4aFtyn.exe (PID: 2848 cmdline: C:\Users\user\Desktop\6iCD4aFtyn.exe MD5: A51E8DFE9B216175ACBC225DE1CEB0F5)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "Support@eurologictics.com", "Password": "9_Qimn35", "Host": "webmail.eurologictics.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.483826091.0000000002D11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000004.00000000.479301572.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000000.479301572.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000004.00000000.478572073.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000000.478572073.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.6iCD4aFtyn.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.6iCD4aFtyn.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.6iCD4aFtyn.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32b58:$s10: logins
                • 0x325bf:$s11: credential
                • 0x2ebae:$g1: get_Clipboard
                • 0x2ebbc:$g2: get_Keyboard
                • 0x2ebc9:$g3: get_Password
                • 0x2fec8:$g4: get_CtrlKeyDown
                • 0x2fed8:$g5: get_ShiftKeyDown
                • 0x2fee9:$g6: get_AltKeyDown
                4.0.6iCD4aFtyn.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.0.6iCD4aFtyn.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 31 entries

                    Sigma Signatures

                    There are no malicious signatures, click here to show all signatures.

                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 176.53.69.151, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\6iCD4aFtyn.exe, Initiated: true, ProcessId: 2848, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49778
                    Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\Desktop\6iCD4aFtyn.exe, CommandLine: C:\Users\user\Desktop\6iCD4aFtyn.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\6iCD4aFtyn.exe, NewProcessName: C:\Users\user\Desktop\6iCD4aFtyn.exe, OriginalFileName: C:\Users\user\Desktop\6iCD4aFtyn.exe, ParentCommandLine: "C:\Users\user\Desktop\6iCD4aFtyn.exe" , ParentImage: C:\Users\user\Desktop\6iCD4aFtyn.exe, ParentProcessId: 4968, ParentProcessName: 6iCD4aFtyn.exe, ProcessCommandLine: C:\Users\user\Desktop\6iCD4aFtyn.exe, ProcessId: 2848, ProcessName: 6iCD4aFtyn.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.0.6iCD4aFtyn.exe.400000.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "Support@eurologictics.com", "Password": "9_Qimn35", "Host": "webmail.eurologictics.com"}
                    Multi AV Scanner detection for submitted file
                    Source: 6iCD4aFtyn.exeVirustotal: Detection: 27%Perma Link
                    Machine Learning detection for sample
                    Source: 6iCD4aFtyn.exeJoe Sandbox ML: detected
                    Source: 4.0.6iCD4aFtyn.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.6iCD4aFtyn.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6iCD4aFtyn.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6iCD4aFtyn.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6iCD4aFtyn.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.6iCD4aFtyn.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 6iCD4aFtyn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 6iCD4aFtyn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Joe Sandbox ViewASN Name: RADORETR RADORETR
                    Source: Joe Sandbox ViewIP Address: 176.53.69.151 176.53.69.151
                    Source: global trafficTCP traffic: 192.168.2.5:49778 -> 176.53.69.151:587
                    Source: global trafficTCP traffic: 192.168.2.5:49778 -> 176.53.69.151:587
                    Source: 6iCD4aFtyn.exe, 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: 6iCD4aFtyn.exe, 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: 6iCD4aFtyn.exe, 00000004.00000002.691001368.0000000002D76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clnyqchZHe.org
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: 6iCD4aFtyn.exe, 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kIpfke.com
                    Source: 6iCD4aFtyn.exe, 00000004.00000002.691015808.0000000002D7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://webmail.eurologictics.com
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: 6iCD4aFtyn.exe, 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: webmail.eurologictics.com

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.2.6iCD4aFtyn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6iCD4aFtyn.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6iCD4aFtyn.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6iCD4aFtyn.exe.3dc6c58.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6iCD4aFtyn.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6iCD4aFtyn.exe.3d92638.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6iCD4aFtyn.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.6iCD4aFtyn.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6iCD4aFtyn.exe.3dc6c58.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6iCD4aFtyn.exe.3dc6c58.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.6iCD4aFtyn.exe.3d5c218.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6iCD4aFtyn.exe.3d5c218.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.6iCD4aFtyn.exe.3d92638.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.6iCD4aFtyn.exe.3d92638.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 4.0.6iCD4aFtyn.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b5464B631u002dC922u002d4939u002dAD5Eu002d025E5A6CADCCu007d/C0BC0D32u002dDDEAu002d42DBu002d992Au002d58A14D47F9F0.csLarge array initialization: .cctor: array initializer size 11638
                    Source: 4.2.6iCD4aFtyn.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b5464B631u002dC922u002d4939u002dAD5Eu002d025E5A6CADCCu007d/C0BC0D32u002dDDEAu002d42DBu002d992Au002d58A14D47F9F0.csLarge array initialization: .cctor: array initializer size 11638
                    Source: 4.0.6iCD4aFtyn.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b5464B631u002dC922u002d4939u002dAD5Eu002d025E5A6CADCCu007d/C0BC0D32u002dDDEAu002d42DBu002d992Au002d58A14D47F9F0.csLarge array initialization: .cctor: array initializer size 11638
                    Source: 4.0.6iCD4aFtyn.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b5464B631u002dC922u002d4939u002dAD5Eu002d025E5A6CADCCu007d/C0BC0D32u002dDDEAu002d42DBu002d992Au002d58A14D47F9F0.csLarge array initialization: .cctor: array initializer size 11638
                    Source: 6iCD4aFtyn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 4.2.6iCD4aFtyn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6iCD4aFtyn.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6iCD4aFtyn.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6iCD4aFtyn.exe.3dc6c58.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6iCD4aFtyn.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6iCD4aFtyn.exe.3d92638.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6iCD4aFtyn.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.6iCD4aFtyn.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6iCD4aFtyn.exe.3dc6c58.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6iCD4aFtyn.exe.3dc6c58.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.6iCD4aFtyn.exe.3d5c218.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6iCD4aFtyn.exe.3d5c218.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.6iCD4aFtyn.exe.3d92638.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.6iCD4aFtyn.exe.3d92638.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 0_2_0112C3440_2_0112C344
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 0_2_0112E7100_2_0112E710
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 0_2_0112E70B0_2_0112E70B
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 4_2_00F9F0804_2_00F9F080
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 4_2_00F9F3C84_2_00F9F3C8
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 4_2_00F961204_2_00F96120
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 4_2_05B5C4804_2_05B5C480
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 4_2_05B5B7304_2_05B5B730
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 4_2_05B51FF84_2_05B51FF8
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 4_2_05B500404_2_05B50040
                    Source: 6iCD4aFtyn.exeBinary or memory string: OriginalFilename vs 6iCD4aFtyn.exe
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.483558960.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejbxaxfQcGkKztzWZKRdIwKaZZYGrOShGJDAkI.exe4 vs 6iCD4aFtyn.exe
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.484974001.0000000003D5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejbxaxfQcGkKztzWZKRdIwKaZZYGrOShGJDAkI.exe4 vs 6iCD4aFtyn.exe
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.484974001.0000000003D5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs 6iCD4aFtyn.exe
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.490498419.0000000007400000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs 6iCD4aFtyn.exe
                    Source: 6iCD4aFtyn.exeBinary or memory string: OriginalFilename vs 6iCD4aFtyn.exe
                    Source: 6iCD4aFtyn.exe, 00000004.00000000.479301572.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejbxaxfQcGkKztzWZKRdIwKaZZYGrOShGJDAkI.exe4 vs 6iCD4aFtyn.exe
                    Source: 6iCD4aFtyn.exe, 00000004.00000002.689359720.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 6iCD4aFtyn.exe
                    Source: 6iCD4aFtyn.exeBinary or memory string: OriginalFilenameIActivationFact.exeD vs 6iCD4aFtyn.exe
                    Source: 6iCD4aFtyn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 6iCD4aFtyn.exeVirustotal: Detection: 27%
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile read: C:\Users\user\Desktop\6iCD4aFtyn.exe:Zone.IdentifierJump to behavior
                    Source: 6iCD4aFtyn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\6iCD4aFtyn.exe "C:\Users\user\Desktop\6iCD4aFtyn.exe"
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess created: C:\Users\user\Desktop\6iCD4aFtyn.exe C:\Users\user\Desktop\6iCD4aFtyn.exe
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess created: C:\Users\user\Desktop\6iCD4aFtyn.exe C:\Users\user\Desktop\6iCD4aFtyn.exeJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6iCD4aFtyn.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/2
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: 4.0.6iCD4aFtyn.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6iCD4aFtyn.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.2.6iCD4aFtyn.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.2.6iCD4aFtyn.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6iCD4aFtyn.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.6iCD4aFtyn.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: 6iCD4aFtyn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 6iCD4aFtyn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 6iCD4aFtyn.exe, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 6iCD4aFtyn.exe, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.6iCD4aFtyn.exe.740000.0.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 0.0.6iCD4aFtyn.exe.740000.0.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.6iCD4aFtyn.exe.740000.0.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 0.2.6iCD4aFtyn.exe.740000.0.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.6iCD4aFtyn.exe.660000.2.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 4.0.6iCD4aFtyn.exe.660000.2.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.6iCD4aFtyn.exe.660000.9.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 4.0.6iCD4aFtyn.exe.660000.9.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.6iCD4aFtyn.exe.660000.13.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 4.0.6iCD4aFtyn.exe.660000.13.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.6iCD4aFtyn.exe.660000.7.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 4.0.6iCD4aFtyn.exe.660000.7.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.6iCD4aFtyn.exe.660000.0.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 4.0.6iCD4aFtyn.exe.660000.0.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.6iCD4aFtyn.exe.660000.5.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 4.0.6iCD4aFtyn.exe.660000.5.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.2.6iCD4aFtyn.exe.660000.1.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 4.2.6iCD4aFtyn.exe.660000.1.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.6iCD4aFtyn.exe.660000.11.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 4.0.6iCD4aFtyn.exe.660000.11.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.6iCD4aFtyn.exe.660000.1.unpack, Lucidity.WinForms/fmMain.cs.Net Code: SourceOptions contains xor as well as GetObject
                    Source: 4.0.6iCD4aFtyn.exe.660000.1.unpack, Lucidity.WinForms/fmMain.cs.Net Code: IgnoredAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 0_2_007440E3 push es; retf 0_2_007440E0
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 0_2_00743C40 push es; retf 0_2_007440E0
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 0_2_00744831 push 28060000h; ret 0_2_0074486F
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 4_2_006640E3 push es; retf 4_2_006640E0
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 4_2_00663C40 push es; retf 4_2_006640E0
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeCode function: 4_2_00664831 push 28060000h; ret 4_2_0066486F
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.92690966454
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.483826091.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.483558960.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6iCD4aFtyn.exe PID: 4968, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.483826091.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, 6iCD4aFtyn.exe, 00000000.00000002.483558960.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.483826091.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, 6iCD4aFtyn.exe, 00000000.00000002.483558960.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exe TID: 6252Thread sleep time: -41674s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exe TID: 6568Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exe TID: 6412Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exe TID: 6512Thread sleep count: 4418 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exe TID: 6512Thread sleep count: 4294 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeWindow / User API: threadDelayed 4418Jump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeWindow / User API: threadDelayed 4294Jump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeThread delayed: delay time: 41674Jump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.483558960.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.483558960.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.483558960.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: 6iCD4aFtyn.exe, 00000004.00000002.689972201.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp, 6iCD4aFtyn.exe, 00000004.00000003.509426217.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp, 6iCD4aFtyn.exe, 00000004.00000003.509557222.0000000000D4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: 6iCD4aFtyn.exe, 00000000.00000002.483558960.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeProcess created: C:\Users\user\Desktop\6iCD4aFtyn.exe C:\Users\user\Desktop\6iCD4aFtyn.exeJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Users\user\Desktop\6iCD4aFtyn.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Users\user\Desktop\6iCD4aFtyn.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.6iCD4aFtyn.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6iCD4aFtyn.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6iCD4aFtyn.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6iCD4aFtyn.exe.3dc6c58.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6iCD4aFtyn.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6iCD4aFtyn.exe.3d92638.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6iCD4aFtyn.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6iCD4aFtyn.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6iCD4aFtyn.exe.3dc6c58.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6iCD4aFtyn.exe.3d5c218.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6iCD4aFtyn.exe.3d92638.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.479301572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.478572073.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.479888823.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.688905311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.477768887.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.484974001.0000000003D5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6iCD4aFtyn.exe PID: 4968, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 6iCD4aFtyn.exe PID: 2848, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\6iCD4aFtyn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: Yara matchFile source: 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6iCD4aFtyn.exe PID: 2848, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.6iCD4aFtyn.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6iCD4aFtyn.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6iCD4aFtyn.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6iCD4aFtyn.exe.3dc6c58.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6iCD4aFtyn.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6iCD4aFtyn.exe.3d92638.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6iCD4aFtyn.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.6iCD4aFtyn.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6iCD4aFtyn.exe.3dc6c58.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6iCD4aFtyn.exe.3d5c218.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.6iCD4aFtyn.exe.3d92638.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.479301572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.478572073.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.479888823.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.688905311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.477768887.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.484974001.0000000003D5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6iCD4aFtyn.exe PID: 4968, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 6iCD4aFtyn.exe PID: 2848, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception11
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares2
                    Data from Local System                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                    Process Injection                    		NTDS131
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common2
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    Remote System Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                    Software Packing                    		DCSync114
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    6iCD4aFtyn.exe28%VirustotalBrowse
                    6iCD4aFtyn.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.0.6iCD4aFtyn.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    4.2.6iCD4aFtyn.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6iCD4aFtyn.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6iCD4aFtyn.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6iCD4aFtyn.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.6iCD4aFtyn.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://clnyqchZHe.org0%Avira URL Cloudsafe
                    http://webmail.eurologictics.com0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://kIpfke.com0%Avira URL Cloudsafe
                    http://www.sakkal.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    webmail.eurologictics.com
                    		176.53.69.151
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.16iCD4aFtyn.exe, 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.06iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersG6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThe6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://clnyqchZHe.org6iCD4aFtyn.exe, 00000004.00000002.691001368.0000000002D76000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://webmail.eurologictics.com6iCD4aFtyn.exe, 00000004.00000002.691015808.0000000002D7E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www6iCD4aFtyn.exe, 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.tiro.com6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.goodfont.co.kr6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.coml6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.com6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netD6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlN6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cThe6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htm6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.com6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.html6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://DynDns.comDynDNSnamejidpasswordPsi/Psi6iCD4aFtyn.exe, 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPlease6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers86iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fonts.com6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.kr6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPlease6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cn6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://kIpfke.com6iCD4aFtyn.exe, 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sakkal.com6iCD4aFtyn.exe, 00000000.00000002.488064801.0000000006D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          176.53.69.151
                                          		webmail.eurologictics.comTurkey
                                          		42926RADORETRtrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:604234
                                          Start date and time:2022-04-06 17:50:17 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 10m 8s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:6iCD4aFtyn.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:13
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@1/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:
                                          • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                          • Quality average: 38.3%
                                          • Quality standard deviation: 36.3%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 57
                                          • Number of non-executed functions: 3
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 184.30.21.144
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          19:51:49API Interceptor590x Sleep call for process: 6iCD4aFtyn.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          176.53.69.151MENSAJE 2021.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          Documento_0501_012021.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          Datos_019_9251.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          Mensaje K-158701.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          Datos-2021-4-377562.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          PACK.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          bestand-8881014518 00944.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          pack 2254794.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          informazioni-0501-012021.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          rapport 40329241.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          Dati_012021_688_89301.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          2199212_20210105_160680.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          ARCHIVO_FILE.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          doc_X_13536.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/
                                          ytgeKMQNL2.docGet hashmaliciousBrowse
                                          • petafilm.com/wp-admin/4m/

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          RADORETR6YmzmvBuGwGet hashmaliciousBrowse
                                          • 185.113.220.252
                                          mirai.oGet hashmaliciousBrowse
                                          • 185.113.220.218
                                          http://j5.4ri.colorupboyasi.com/.19f_u3/18/2022%209:50:19%20AMfir199:50%20AM%20(%5B223ail_18o3ai50Par9:50%20AM%5D)___19f_u3/18/2022%209:50:19%20AMfir199:50%20AM%20(%5B223ail_Lo3/18/2022%209:50:19%20AMalPar9:50%20AM%5D)#.aHR0cHM6Ly9kaXNuYWtlcnRyYW5zLnR1bHVuZ2FndW5nLmdvLmlkL3dwLWltYWdlcy9JSy9vZjE/MDgzNTE5OSZlbWFpbD1qZWZmLndvcnRoQGdsb2JhbGZvdW5kcmllcy5jb20=Get hashmaliciousBrowse
                                          • 185.84.180.234
                                          xkyz4vWDB8Get hashmaliciousBrowse
                                          • 185.113.220.243
                                          Ob6qq1yKPBGet hashmaliciousBrowse
                                          • 45.84.189.178
                                          TflzGymnV6Get hashmaliciousBrowse
                                          • 185.113.220.255
                                          dCGcz5kbdjGet hashmaliciousBrowse
                                          • 185.113.220.224
                                          2022-03-03_1406.xlsmGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          PO 03032022.xlsmGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          scgFlDLeMRGet hashmaliciousBrowse
                                          • 176.53.81.28
                                          TAI55950583014524293555_202203031544.xlsmGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          Latest_payment.xlsmGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          DL533325233960_202203031429.xlsmGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          1.xlsGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          Address Update.xlsmGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          Latest payment.xlsmGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          Electronic form.xlsmGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          INVOICE 03-03-2022_1515.xlsmGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          2022-03-03_0708.xlsmGet hashmaliciousBrowse
                                          • 176.53.85.121
                                          1647A698.xlsxGet hashmaliciousBrowse
                                          • 2.59.117.83

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6iCD4aFtyn.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\6iCD4aFtyn.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1308
                                          Entropy (8bit):5.345811588615766
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                          MD5:2E016B886BDB8389D2DD0867BE55F87B
                                          SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                          SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                          SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.910546767004328
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                          File name:6iCD4aFtyn.exe
                                          File size:527360
                                          MD5:a51e8dfe9b216175acbc225de1ceb0f5
                                          SHA1:36d347c6139c66656becec8bf698b1d6281b5b5f
                                          SHA256:7b29b24825a35a5d19c29cc434143b3f2937acbb86b959f86a3945f13264e84e
                                          SHA512:28c0285df3661ff2bb069f695117d0ca3e209cbde52bf0a73b71c14aad8d4db648fea11dd52b4847b5e5becafcab6509be35f1a176c594d04e80a12fd23eb48c
                                          SSDEEP:12288:RDl5+/nZTmWdqA0Ic/GNnW4KAFLqdMvgembP7fdIbtF:D5+RD4lIc/kWJgqi3/
                                          TLSH:F8B4121433F82326D8BD2BF3AC7904511BB0AA6F2861E68D8FD131EB5962740E557BD3
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Lb..............0......0........... ........@.. .......................`............@................................

                                          File Icon

                                          Icon Hash:08e0f039f8b8b802

                                          Static PE Info

                                          General

                                          Entrypoint:0x47f6b2
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x624CFC95 [Wed Apr 6 02:36:05 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x7f6600x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x2a98.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x7d6b80x7d800False0.933582077938data7.92690966454IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x800000x2a980x2c00False0.892223011364data7.5588656324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x840000xc0x400False0.025390625data0.0558553080537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x801000x23e1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                          RT_GROUP_ICON0x824f40x14data
                                          RT_VERSION0x825180x380data
                                          RT_MANIFEST0x828a80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright Zany Brainy 2011
                                          Assembly Version1.0.0.0
                                          InternalNameIActivationFact.exe
                                          FileVersion1.0.0.0
                                          CompanyNameZany Brainy
                                          LegalTrademarks
                                          Comments
                                          ProductNameLucidity.WinForms
                                          ProductVersion1.0.0.0
                                          FileDescriptionLucidity.WinForms
                                          OriginalFilenameIActivationFact.exe

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 6, 2022 19:52:07.164539099 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.209513903 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.209650040 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.256700993 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.257071972 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.302125931 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.302656889 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.347533941 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.348125935 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.400875092 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.401546955 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.446434021 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.446763039 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.498205900 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.498483896 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.546385050 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.548187017 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.548326015 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.549012899 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.549137115 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.549236059 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.549304962 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.549398899 CEST49778587192.168.2.5176.53.69.151
                                          Apr 6, 2022 19:52:07.593066931 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.593453884 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.593646049 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.596215963 CEST58749778176.53.69.151192.168.2.5
                                          Apr 6, 2022 19:52:07.670769930 CEST49778587192.168.2.5176.53.69.151

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 6, 2022 19:52:07.060641050 CEST6065853192.168.2.58.8.8.8
                                          Apr 6, 2022 19:52:07.131185055 CEST53606588.8.8.8192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Apr 6, 2022 19:52:07.060641050 CEST192.168.2.58.8.8.80x1ccStandard query (0)webmail.eurologictics.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Apr 6, 2022 19:52:07.131185055 CEST8.8.8.8192.168.2.50x1ccNo error (0)webmail.eurologictics.com176.53.69.151A (IP address)IN (0x0001)

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Apr 6, 2022 19:52:07.256700993 CEST58749778176.53.69.151192.168.2.5220 rd-prime-win.guzelhosting.com ESMTP MailEnable Service, Version: 10.34-- ready at 04/06/22 20:51:42
                                          Apr 6, 2022 19:52:07.257071972 CEST49778587192.168.2.5176.53.69.151EHLO 648351
                                          Apr 6, 2022 19:52:07.302125931 CEST58749778176.53.69.151192.168.2.5250-guzelhosting.com [102.129.143.67], this server offers 5 extensions
                                          250-AUTH LOGIN
                                          250-SIZE 40960000
                                          250-HELP
                                          250-AUTH=LOGIN
                                          250 STARTTLS
                                          Apr 6, 2022 19:52:07.302656889 CEST49778587192.168.2.5176.53.69.151AUTH login U3VwcG9ydEBldXJvbG9naWN0aWNzLmNvbQ==
                                          Apr 6, 2022 19:52:07.347533941 CEST58749778176.53.69.151192.168.2.5334 UGFzc3dvcmQ6
                                          Apr 6, 2022 19:52:07.400875092 CEST58749778176.53.69.151192.168.2.5235 Authenticated
                                          Apr 6, 2022 19:52:07.401546955 CEST49778587192.168.2.5176.53.69.151MAIL FROM:<Support@eurologictics.com>
                                          Apr 6, 2022 19:52:07.446434021 CEST58749778176.53.69.151192.168.2.5250 Requested mail action okay, completed
                                          Apr 6, 2022 19:52:07.446763039 CEST49778587192.168.2.5176.53.69.151RCPT TO:<asala.almosawi@anwar-alhermal.com>
                                          Apr 6, 2022 19:52:07.498205900 CEST58749778176.53.69.151192.168.2.5250 Requested mail action okay, completed
                                          Apr 6, 2022 19:52:07.498483896 CEST49778587192.168.2.5176.53.69.151DATA
                                          Apr 6, 2022 19:52:07.546385050 CEST58749778176.53.69.151192.168.2.5354 Start mail input; end with <CRLF>.<CRLF>
                                          Apr 6, 2022 19:52:07.549398899 CEST49778587192.168.2.5176.53.69.151.
                                          Apr 6, 2022 19:52:07.596215963 CEST58749778176.53.69.151192.168.2.5250 Requested mail action okay, completed

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:19:51:25
                                          Start date:06/04/2022
                                          Path:C:\Users\user\Desktop\6iCD4aFtyn.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\6iCD4aFtyn.exe"
                                          Imagebase:0x740000
                                          File size:527360 bytes
                                          MD5 hash:A51E8DFE9B216175ACBC225DE1CEB0F5
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.483826091.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.483558960.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.484974001.0000000003D5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.484974001.0000000003D5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Target ID:4
                                          Start time:19:51:51
                                          Start date:06/04/2022
                                          Path:C:\Users\user\Desktop\6iCD4aFtyn.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\6iCD4aFtyn.exe
                                          Imagebase:0x660000
                                          File size:527360 bytes
                                          MD5 hash:A51E8DFE9B216175ACBC225DE1CEB0F5
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.479301572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.479301572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.478572073.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.478572073.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.690453681.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.479888823.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.479888823.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.688905311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.688905311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.477768887.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.477768887.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:10.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:95
                                            Total number of Limit Nodes:3
                                            execution_graph 11640 11240d0 11641 11240e2 11640->11641 11642 11240ee 11641->11642 11646 11241e3 11641->11646 11651 1123880 11642->11651 11644 112410d 11647 1124205 11646->11647 11655 11242e0 11647->11655 11659 11242d7 11647->11659 11652 112388b 11651->11652 11667 112581c 11652->11667 11654 1126a3b 11654->11644 11656 1124307 11655->11656 11657 11243e4 11656->11657 11663 1123e08 11656->11663 11660 1124307 11659->11660 11661 1123e08 CreateActCtxA 11660->11661 11662 11243e4 11660->11662 11661->11662 11664 1125370 CreateActCtxA 11663->11664 11666 1125433 11664->11666 11668 1125827 11667->11668 11671 112583c 11668->11671 11670 1126bcd 11670->11654 11672 1125847 11671->11672 11675 112586c 11672->11675 11674 1126ca2 11674->11670 11676 1125877 11675->11676 11679 112589c 11676->11679 11678 1126da2 11678->11674 11680 11258a7 11679->11680 11682 11274be 11680->11682 11686 1129403 11680->11686 11681 11274fc 11681->11678 11682->11681 11690 112b560 11682->11690 11695 112b557 11682->11695 11700 1129438 11686->11700 11703 1129429 11686->11703 11687 1129416 11687->11682 11691 112b581 11690->11691 11692 112b5a5 11691->11692 11724 112b710 11691->11724 11728 112b6ff 11691->11728 11692->11681 11696 112b581 11695->11696 11697 112b5a5 11696->11697 11698 112b710 LoadLibraryExW 11696->11698 11699 112b6ff LoadLibraryExW 11696->11699 11697->11681 11698->11697 11699->11697 11707 1129530 11700->11707 11701 1129447 11701->11687 11704 1129438 11703->11704 11706 1129530 LoadLibraryExW 11704->11706 11705 1129447 11705->11687 11706->11705 11708 1129543 11707->11708 11709 1129553 11708->11709 11712 11297b3 11708->11712 11716 11297b8 11708->11716 11709->11701 11714 11297b8 11712->11714 11713 11297f1 11713->11709 11714->11713 11720 1128a90 11714->11720 11717 11297cc 11716->11717 11718 11297f1 11717->11718 11719 1128a90 LoadLibraryExW 11717->11719 11718->11709 11719->11718 11721 1129998 LoadLibraryExW 11720->11721 11723 1129a11 11721->11723 11723->11713 11725 112b71d 11724->11725 11726 112b757 11725->11726 11732 112abd4 11725->11732 11726->11692 11729 112b71d 11728->11729 11730 112b757 11729->11730 11731 112abd4 LoadLibraryExW 11729->11731 11730->11692 11731->11730 11733 112abdf 11732->11733 11734 112c048 11733->11734 11736 112acbc 11733->11736 11737 112acc7 11736->11737 11738 112589c LoadLibraryExW 11737->11738 11739 112c4b7 11738->11739 11742 112de48 11739->11742 11740 112c4f0 11740->11734 11744 112dec5 11742->11744 11745 112de79 11742->11745 11743 112de85 11743->11740 11744->11740 11745->11743 11746 112e6c3 LoadLibraryExW 11745->11746 11747 112e6c8 LoadLibraryExW 11745->11747 11746->11744 11747->11744 11748 11297ab 11749 1129741 GetModuleHandleW 11748->11749 11750 1129785 11749->11750 11751 112b828 11752 112b88e 11751->11752 11756 112b9db 11752->11756 11759 112b9e8 11752->11759 11753 112b93d 11762 112ac5c 11756->11762 11760 112ba16 11759->11760 11761 112ac5c DuplicateHandle 11759->11761 11760->11753 11761->11760 11763 112ba50 DuplicateHandle 11762->11763 11764 112ba16 11763->11764 11764->11753

                                            Executed Functions

                                            Function 01123E08 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 1123e08-1125431 CreateActCtxA 3 1125433-1125439 0->3 4 112543a-1125494 0->4 3->4 11 11254a3-11254a7 4->11 12 1125496-1125499 4->12 13 11254b8 11->13 14 11254a9-11254b5 11->14 12->11 16 11254b9 13->16 14->13 16->16
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 01125421
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 802343a78115722a2119861c2b466fb5be55b3670219922ddf882d947ee417b9
                                            • Instruction ID: 0d6a0584d2b1b0bca228af5e14c25026f4dcffa520881c936922a8ad77f82361
                                            • Opcode Fuzzy Hash: 802343a78115722a2119861c2b466fb5be55b3670219922ddf882d947ee417b9
                                            • Instruction Fuzzy Hash: 9B41E571D00668CFDB14CFA9C884BDDBBB5BF49308F10846AD409AB251D7756946CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01125367 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 17 1125367-1125431 CreateActCtxA 19 1125433-1125439 17->19 20 112543a-1125494 17->20 19->20 27 11254a3-11254a7 20->27 28 1125496-1125499 20->28 29 11254b8 27->29 30 11254a9-11254b5 27->30 28->27 32 11254b9 29->32 30->29 32->32
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 01125421
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 9f52a2dd9ab6f467e4655617b443f4df32dafc0ddc2994e71a148b75e22954d5
                                            • Instruction ID: bbd2abe7fde4464baa62e94cf1c7f302dd5103e1ba3ff3b68b0a4699a5470de1
                                            • Opcode Fuzzy Hash: 9f52a2dd9ab6f467e4655617b443f4df32dafc0ddc2994e71a148b75e22954d5
                                            • Instruction Fuzzy Hash: 8741E271D00669CFDB14CFA9C884BCDBBB6BF48308F24846AD409AB251DB755946CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0112AC5C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 33 112ac5c-112bae4 DuplicateHandle 35 112bae6-112baec 33->35 36 112baed-112bb0a 33->36 35->36
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0112BA16,?,?,?,?,?), ref: 0112BAD7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 4e6c8c3513b968200b1cf3067108c1da0101b65002cf29f98d1c40a9932ae219
                                            • Instruction ID: 5629ce71aa71bec073b0bad8194397b34e5a435c8baaa314cf77f4e806bda0a8
                                            • Opcode Fuzzy Hash: 4e6c8c3513b968200b1cf3067108c1da0101b65002cf29f98d1c40a9932ae219
                                            • Instruction Fuzzy Hash: 5921E3B5900219AFDB10CFA9D984ADEBBF8FB48320F14842AE915B3350D374A954CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0112BA4B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 39 112ba4b 40 112ba50-112bae4 DuplicateHandle 39->40 41 112bae6-112baec 40->41 42 112baed-112bb0a 40->42 41->42
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0112BA16,?,?,?,?,?), ref: 0112BAD7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: d744bf79080899849c82dc5bfbc4406ee5b3606a95cf70a0413395cc71cae28e
                                            • Instruction ID: 42e9317c247deb438bfaaec60b7e4f2e6e49d05e4f3a79c174d9f8115f01f007
                                            • Opcode Fuzzy Hash: d744bf79080899849c82dc5bfbc4406ee5b3606a95cf70a0413395cc71cae28e
                                            • Instruction Fuzzy Hash: 2721E4B5900219AFDB10CFA9D984ADEBBF8FB48324F14841AE914B3350C374A954CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01128A90 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 45 1128a90-11299d8 47 11299e0-1129a0f LoadLibraryExW 45->47 48 11299da-11299dd 45->48 49 1129a11-1129a17 47->49 50 1129a18-1129a35 47->50 48->47 49->50
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011297F1,00000800,00000000,00000000), ref: 01129A02
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: f69a70b3c0f423e80117e4abfb8ed7dbc877029f20728fe3eafa61c4ed75de53
                                            • Instruction ID: 7baec3fa2f22c41062d635e33da4672af01051e9431cc68876ba2e7dd13e9f77
                                            • Opcode Fuzzy Hash: f69a70b3c0f423e80117e4abfb8ed7dbc877029f20728fe3eafa61c4ed75de53
                                            • Instruction Fuzzy Hash: E61112B6D003199FDB14CF9AC444ADEFBF8EB88324F14842AE919B7600C375A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01129993 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 53 1129993-11299d8 55 11299e0-1129a0f LoadLibraryExW 53->55 56 11299da-11299dd 53->56 57 1129a11-1129a17 55->57 58 1129a18-1129a35 55->58 56->55 57->58
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011297F1,00000800,00000000,00000000), ref: 01129A02
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 822b4eefe4bfad62446453f97a0862ab302245d575d4a480bc5720711ebfe2c1
                                            • Instruction ID: 96bff4a91db40d00b1c1e60a2908f0d5ebb26f1c995c75e55be77a88de29811b
                                            • Opcode Fuzzy Hash: 822b4eefe4bfad62446453f97a0862ab302245d575d4a480bc5720711ebfe2c1
                                            • Instruction Fuzzy Hash: 1A11E4B6D002599FDB14CF9AC444ADEFBF8EB88364F14842AD519B7600C375A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0112970B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 61 112970b-1129750 63 1129752-1129755 61->63 64 1129758-1129783 GetModuleHandleW 61->64 63->64 65 1129785-112978b 64->65 66 112978c-11297a0 64->66 65->66
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01129776
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: b3f6302bd23075efb2512a286a78c05a7578346edec37665830e3b8989bcb1ee
                                            • Instruction ID: a08386ea3d75112f5b1de31812c5ea14393150f6b80fe51c9056a2d7fd47dc91
                                            • Opcode Fuzzy Hash: b3f6302bd23075efb2512a286a78c05a7578346edec37665830e3b8989bcb1ee
                                            • Instruction Fuzzy Hash: 461102B6C006598FDB14CF9AC444BDEFBF8EF89224F14852AD929B7600C375A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01129710 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 68 1129710-1129750 69 1129752-1129755 68->69 70 1129758-1129783 GetModuleHandleW 68->70 69->70 71 1129785-112978b 70->71 72 112978c-11297a0 70->72 71->72
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01129776
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 702fe7cea1428cafddd159e4a892c1acde10f6218b1439742730578dd25e2640
                                            • Instruction ID: ec5d682725e04b6b6905a7c7a0863a03bf4237134e0e3b947e082748a32df0ed
                                            • Opcode Fuzzy Hash: 702fe7cea1428cafddd159e4a892c1acde10f6218b1439742730578dd25e2640
                                            • Instruction Fuzzy Hash: D4110FB6C006598FDB14CF9AC444ADEFBF8EF89224F14842AD929B7600C375A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 011297AB Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 74 11297ab-11297b0 GetModuleHandleW 76 1129785-112978b 74->76 77 112978c-11297a0 74->77 76->77
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01129776
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 7e2976ff7a56d61d2dec19f641d10d17c42372122fb404bbbb24e869e7456649
                                            • Instruction ID: b879f45dfc8e88be28ed58acd37c10200055d187ada9197415b0af815d5e6371
                                            • Opcode Fuzzy Hash: 7e2976ff7a56d61d2dec19f641d10d17c42372122fb404bbbb24e869e7456649
                                            • Instruction Fuzzy Hash: 28F0DC76808B988FDB218F99D4413C9BFF0EF56328F18858AC599BB443C338210ACF52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 0112E710 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1cd4f081cabd67839bd90305e8e981726f80cc6f4a689b8c1001e9b96bcf4f85
                                            • Instruction ID: b6c4292b831d04c7ba35ab08c2a31373075f54f8cc2cc4dbf5f4271f6c1e2f45
                                            • Opcode Fuzzy Hash: 1cd4f081cabd67839bd90305e8e981726f80cc6f4a689b8c1001e9b96bcf4f85
                                            • Instruction Fuzzy Hash: BE12E6B14037668BE3B8CF65E8886893B73B741329B914329D2711FAD9D7B411C6CF86
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0112C344 Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4be37259f900b920b94989dccdb3aa8c422d9af1cb82f2454556427991131b2c
                                            • Instruction ID: dd8a1037f6f4068806baf3eb2cba2ece20024ee857ea96a6293b2671e18a9f6c
                                            • Opcode Fuzzy Hash: 4be37259f900b920b94989dccdb3aa8c422d9af1cb82f2454556427991131b2c
                                            • Instruction Fuzzy Hash: 15A18232E0061A8FCF09DFB5D8445DEBBB2FF85300B15856AE905BB261EB719955CB80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0112E70B Relevance: .2, Instructions: 218COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.483073756.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1120000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 26dfb5e1face34f8eddea7955b22c67fc008e2974eb1eb0672748bbdb209ad86
                                            • Instruction ID: f6ed183ced003298e07fa8539eb64134455781e48fa27c56fa435e1f68bbf899
                                            • Opcode Fuzzy Hash: 26dfb5e1face34f8eddea7955b22c67fc008e2974eb1eb0672748bbdb209ad86
                                            • Instruction Fuzzy Hash: 3AC14BB18137268BD7A8CF65E8886893B73BB85328F514329D2712F6D8D7B414C6CF85
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:22.9%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:323
                                            Total number of Limit Nodes:1
                                            execution_graph 27412 f9add0 27413 f9adee 27412->27413 27416 f99dc0 27413->27416 27415 f9ae25 27417 f9c8f0 LoadLibraryA 27416->27417 27419 f9c9cc 27417->27419 27420 f94540 27421 f94554 27420->27421 27424 f9478a 27421->27424 27422 f9455d 27425 f94793 27424->27425 27430 f9496c 27424->27430 27435 f94986 27424->27435 27440 f94870 27424->27440 27445 f9485f 27424->27445 27425->27422 27431 f9491f 27430->27431 27432 f949ab 27431->27432 27450 f94c78 27431->27450 27455 f94c67 27431->27455 27436 f94999 27435->27436 27437 f949ab 27435->27437 27438 f94c78 2 API calls 27436->27438 27439 f94c67 2 API calls 27436->27439 27438->27437 27439->27437 27441 f948b4 27440->27441 27442 f949ab 27441->27442 27443 f94c78 2 API calls 27441->27443 27444 f94c67 2 API calls 27441->27444 27443->27442 27444->27442 27446 f948b4 27445->27446 27447 f949ab 27446->27447 27448 f94c78 2 API calls 27446->27448 27449 f94c67 2 API calls 27446->27449 27448->27447 27449->27447 27451 f94c86 27450->27451 27460 f94cb9 27451->27460 27464 f94cc8 27451->27464 27452 f94c96 27452->27432 27456 f94c86 27455->27456 27458 f94cb9 RtlEncodePointer 27456->27458 27459 f94cc8 RtlEncodePointer 27456->27459 27457 f94c96 27457->27432 27458->27457 27459->27457 27461 f94d02 27460->27461 27462 f94d2c RtlEncodePointer 27461->27462 27463 f94d55 27461->27463 27462->27463 27463->27452 27465 f94d02 27464->27465 27466 f94d2c RtlEncodePointer 27465->27466 27467 f94d55 27465->27467 27466->27467 27467->27452 27468 5b561e8 27470 5b561f1 27468->27470 27469 5b562ed 27470->27469 27473 5b562f8 27470->27473 27520 5b56308 27470->27520 27474 5b56327 27473->27474 27475 5b5634f 27474->27475 27567 5b57835 27474->27567 27575 5b570ca 27474->27575 27583 5b57b4b 27474->27583 27587 5b578c9 27474->27587 27593 5b576c9 27474->27593 27601 5b5714f 27474->27601 27609 5b57ac3 27474->27609 27613 5b573c5 27474->27613 27621 5b5795d 27474->27621 27627 5b57bd3 27474->27627 27631 5b57453 27474->27631 27639 5b57757 27474->27639 27647 5b571d4 27474->27647 27655 5b577eb 27474->27655 27663 5b57262 27474->27663 27671 5b57062 27474->27671 27679 5b574e1 27474->27679 27687 5b57566 27474->27687 27695 5b57a79 27474->27695 27699 5b5737e 27474->27699 27707 5b5787f 27474->27707 27713 5b572f0 27474->27713 27721 5b579f1 27474->27721 27727 5b575f4 27474->27727 27735 5b57108 27474->27735 27743 5b5740c 27474->27743 27751 5b57b0d 27474->27751 27755 5b5718d 27474->27755 27763 5b57682 27474->27763 27771 5b57083 27474->27771 27779 5b5749a 27474->27779 27787 5b5721b 27474->27787 27795 5b5751f 27474->27795 27803 5b57c1d 27474->27803 27807 5b57913 27474->27807 27813 5b57710 27474->27813 27821 5b57b95 27474->27821 27825 5b572a9 27474->27825 27833 5b575ad 27474->27833 27841 5b577a1 27474->27841 27849 5b579a7 27474->27849 27855 5b57a3b 27474->27855 27861 5b5763b 27474->27861 27869 5b57337 27474->27869 27521 5b56327 27520->27521 27522 5b5634f 27521->27522 27523 5b57835 3 API calls 27521->27523 27524 5b57337 3 API calls 27521->27524 27525 5b5763b 3 API calls 27521->27525 27526 5b57a3b 2 API calls 27521->27526 27527 5b579a7 2 API calls 27521->27527 27528 5b577a1 3 API calls 27521->27528 27529 5b575ad 3 API calls 27521->27529 27530 5b572a9 3 API calls 27521->27530 27531 5b57b95 KiUserExceptionDispatcher 27521->27531 27532 5b57710 3 API calls 27521->27532 27533 5b57913 2 API calls 27521->27533 27534 5b57c1d KiUserExceptionDispatcher 27521->27534 27535 5b5751f 3 API calls 27521->27535 27536 5b5721b 3 API calls 27521->27536 27537 5b5749a 3 API calls 27521->27537 27538 5b57083 3 API calls 27521->27538 27539 5b57682 3 API calls 27521->27539 27540 5b5718d 3 API calls 27521->27540 27541 5b57b0d KiUserExceptionDispatcher 27521->27541 27542 5b5740c 3 API calls 27521->27542 27543 5b57108 3 API calls 27521->27543 27544 5b575f4 3 API calls 27521->27544 27545 5b579f1 2 API calls 27521->27545 27546 5b572f0 3 API calls 27521->27546 27547 5b5787f 2 API calls 27521->27547 27548 5b5737e 3 API calls 27521->27548 27549 5b57a79 KiUserExceptionDispatcher 27521->27549 27550 5b57566 3 API calls 27521->27550 27551 5b574e1 3 API calls 27521->27551 27552 5b57062 3 API calls 27521->27552 27553 5b57262 3 API calls 27521->27553 27554 5b577eb 3 API calls 27521->27554 27555 5b571d4 3 API calls 27521->27555 27556 5b57757 3 API calls 27521->27556 27557 5b57453 3 API calls 27521->27557 27558 5b57bd3 KiUserExceptionDispatcher 27521->27558 27559 5b5795d 2 API calls 27521->27559 27560 5b573c5 3 API calls 27521->27560 27561 5b57ac3 KiUserExceptionDispatcher 27521->27561 27562 5b5714f 3 API calls 27521->27562 27563 5b576c9 3 API calls 27521->27563 27564 5b578c9 2 API calls 27521->27564 27565 5b57b4b KiUserExceptionDispatcher 27521->27565 27566 5b570ca 3 API calls 27521->27566 27523->27522 27524->27522 27525->27522 27526->27522 27527->27522 27528->27522 27529->27522 27530->27522 27531->27522 27532->27522 27533->27522 27534->27522 27535->27522 27536->27522 27537->27522 27538->27522 27539->27522 27540->27522 27541->27522 27542->27522 27543->27522 27544->27522 27545->27522 27546->27522 27547->27522 27548->27522 27549->27522 27550->27522 27551->27522 27552->27522 27553->27522 27554->27522 27555->27522 27556->27522 27557->27522 27558->27522 27559->27522 27560->27522 27561->27522 27562->27522 27563->27522 27564->27522 27565->27522 27566->27522 27568 5b57847 KiUserExceptionDispatcher 27567->27568 27570 5b5787d KiUserExceptionDispatcher 27568->27570 27572 5b57a77 KiUserExceptionDispatcher 27570->27572 27574 5b57c62 27572->27574 27574->27475 27576 5b570dc 27575->27576 27577 5b5785e KiUserExceptionDispatcher 27576->27577 27578 5b5787d KiUserExceptionDispatcher 27577->27578 27580 5b57a77 KiUserExceptionDispatcher 27578->27580 27582 5b57c62 27580->27582 27582->27475 27584 5b57b5d KiUserExceptionDispatcher 27583->27584 27586 5b57c62 27584->27586 27586->27475 27588 5b578db KiUserExceptionDispatcher 27587->27588 27590 5b57a77 KiUserExceptionDispatcher 27588->27590 27592 5b57c62 27590->27592 27592->27475 27594 5b576db 27593->27594 27595 5b5785e KiUserExceptionDispatcher 27594->27595 27596 5b5787d KiUserExceptionDispatcher 27595->27596 27598 5b57a77 KiUserExceptionDispatcher 27596->27598 27600 5b57c62 27598->27600 27600->27475 27602 5b57161 27601->27602 27603 5b5785e KiUserExceptionDispatcher 27602->27603 27604 5b5787d KiUserExceptionDispatcher 27603->27604 27606 5b57a77 KiUserExceptionDispatcher 27604->27606 27608 5b57c62 27606->27608 27608->27475 27610 5b57ad5 KiUserExceptionDispatcher 27609->27610 27612 5b57c62 27610->27612 27612->27475 27614 5b573d7 27613->27614 27615 5b5785e KiUserExceptionDispatcher 27614->27615 27616 5b5787d KiUserExceptionDispatcher 27615->27616 27618 5b57a77 KiUserExceptionDispatcher 27616->27618 27620 5b57c62 27618->27620 27620->27475 27622 5b5796f KiUserExceptionDispatcher 27621->27622 27624 5b57a77 KiUserExceptionDispatcher 27622->27624 27626 5b57c62 27624->27626 27626->27475 27628 5b57be5 KiUserExceptionDispatcher 27627->27628 27630 5b57c62 27628->27630 27630->27475 27632 5b57465 27631->27632 27633 5b5785e KiUserExceptionDispatcher 27632->27633 27634 5b5787d KiUserExceptionDispatcher 27633->27634 27636 5b57a77 KiUserExceptionDispatcher 27634->27636 27638 5b57c62 27636->27638 27638->27475 27640 5b57769 KiUserExceptionDispatcher 27639->27640 27642 5b5787d KiUserExceptionDispatcher 27640->27642 27644 5b57a77 KiUserExceptionDispatcher 27642->27644 27646 5b57c62 27644->27646 27646->27475 27648 5b571e6 27647->27648 27649 5b5785e KiUserExceptionDispatcher 27648->27649 27650 5b5787d KiUserExceptionDispatcher 27649->27650 27652 5b57a77 KiUserExceptionDispatcher 27650->27652 27654 5b57c62 27652->27654 27654->27475 27656 5b577fd KiUserExceptionDispatcher 27655->27656 27658 5b5787d KiUserExceptionDispatcher 27656->27658 27660 5b57a77 KiUserExceptionDispatcher 27658->27660 27662 5b57c62 27660->27662 27662->27475 27664 5b57274 27663->27664 27665 5b5785e KiUserExceptionDispatcher 27664->27665 27666 5b5787d KiUserExceptionDispatcher 27665->27666 27668 5b57a77 KiUserExceptionDispatcher 27666->27668 27670 5b57c62 27668->27670 27670->27475 27672 5b57068 27671->27672 27673 5b5785e KiUserExceptionDispatcher 27672->27673 27674 5b5787d KiUserExceptionDispatcher 27673->27674 27676 5b57a77 KiUserExceptionDispatcher 27674->27676 27678 5b57c62 27676->27678 27678->27475 27680 5b574f3 27679->27680 27681 5b5785e KiUserExceptionDispatcher 27680->27681 27682 5b5787d KiUserExceptionDispatcher 27681->27682 27684 5b57a77 KiUserExceptionDispatcher 27682->27684 27686 5b57c62 27684->27686 27686->27475 27688 5b57578 27687->27688 27689 5b5785e KiUserExceptionDispatcher 27688->27689 27690 5b5787d KiUserExceptionDispatcher 27689->27690 27692 5b57a77 KiUserExceptionDispatcher 27690->27692 27694 5b57c62 27692->27694 27694->27475 27696 5b57a8b KiUserExceptionDispatcher 27695->27696 27698 5b57c62 27696->27698 27698->27475 27700 5b57390 27699->27700 27701 5b5785e KiUserExceptionDispatcher 27700->27701 27702 5b5787d KiUserExceptionDispatcher 27701->27702 27704 5b57a77 KiUserExceptionDispatcher 27702->27704 27706 5b57c62 27704->27706 27706->27475 27708 5b57891 KiUserExceptionDispatcher 27707->27708 27710 5b57a77 KiUserExceptionDispatcher 27708->27710 27712 5b57c62 27710->27712 27712->27475 27714 5b57302 27713->27714 27715 5b5785e KiUserExceptionDispatcher 27714->27715 27716 5b5787d KiUserExceptionDispatcher 27715->27716 27718 5b57a77 KiUserExceptionDispatcher 27716->27718 27720 5b57c62 27718->27720 27720->27475 27722 5b57a03 KiUserExceptionDispatcher 27721->27722 27724 5b57a77 KiUserExceptionDispatcher 27722->27724 27726 5b57c62 27724->27726 27726->27475 27728 5b57606 27727->27728 27729 5b5785e KiUserExceptionDispatcher 27728->27729 27730 5b5787d KiUserExceptionDispatcher 27729->27730 27732 5b57a77 KiUserExceptionDispatcher 27730->27732 27734 5b57c62 27732->27734 27734->27475 27736 5b5711a 27735->27736 27737 5b5785e KiUserExceptionDispatcher 27736->27737 27738 5b5787d KiUserExceptionDispatcher 27737->27738 27740 5b57a77 KiUserExceptionDispatcher 27738->27740 27742 5b57c62 27740->27742 27742->27475 27744 5b5741e 27743->27744 27745 5b5785e KiUserExceptionDispatcher 27744->27745 27746 5b5787d KiUserExceptionDispatcher 27745->27746 27748 5b57a77 KiUserExceptionDispatcher 27746->27748 27750 5b57c62 27748->27750 27750->27475 27752 5b57b1f KiUserExceptionDispatcher 27751->27752 27754 5b57c62 27752->27754 27754->27475 27756 5b5719f 27755->27756 27757 5b5785e KiUserExceptionDispatcher 27756->27757 27758 5b5787d KiUserExceptionDispatcher 27757->27758 27760 5b57a77 KiUserExceptionDispatcher 27758->27760 27762 5b57c62 27760->27762 27762->27475 27764 5b57694 27763->27764 27765 5b5785e KiUserExceptionDispatcher 27764->27765 27766 5b5787d KiUserExceptionDispatcher 27765->27766 27768 5b57a77 KiUserExceptionDispatcher 27766->27768 27770 5b57c62 27768->27770 27770->27475 27772 5b57095 27771->27772 27773 5b5785e KiUserExceptionDispatcher 27772->27773 27774 5b5787d KiUserExceptionDispatcher 27773->27774 27776 5b57a77 KiUserExceptionDispatcher 27774->27776 27778 5b57c62 27776->27778 27778->27475 27780 5b574ac 27779->27780 27781 5b5785e KiUserExceptionDispatcher 27780->27781 27782 5b5787d KiUserExceptionDispatcher 27781->27782 27784 5b57a77 KiUserExceptionDispatcher 27782->27784 27786 5b57c62 27784->27786 27786->27475 27788 5b5722d 27787->27788 27789 5b5785e KiUserExceptionDispatcher 27788->27789 27790 5b5787d KiUserExceptionDispatcher 27789->27790 27792 5b57a77 KiUserExceptionDispatcher 27790->27792 27794 5b57c62 27792->27794 27794->27475 27796 5b57531 27795->27796 27797 5b5785e KiUserExceptionDispatcher 27796->27797 27798 5b5787d KiUserExceptionDispatcher 27797->27798 27800 5b57a77 KiUserExceptionDispatcher 27798->27800 27802 5b57c62 27800->27802 27802->27475 27804 5b57c2f KiUserExceptionDispatcher 27803->27804 27806 5b57c62 27804->27806 27806->27475 27808 5b57925 KiUserExceptionDispatcher 27807->27808 27810 5b57a77 KiUserExceptionDispatcher 27808->27810 27812 5b57c62 27810->27812 27812->27475 27814 5b57722 27813->27814 27815 5b5785e KiUserExceptionDispatcher 27814->27815 27816 5b5787d KiUserExceptionDispatcher 27815->27816 27818 5b57a77 KiUserExceptionDispatcher 27816->27818 27820 5b57c62 27818->27820 27820->27475 27822 5b57ba7 KiUserExceptionDispatcher 27821->27822 27824 5b57c62 27822->27824 27824->27475 27826 5b572bb 27825->27826 27827 5b5785e KiUserExceptionDispatcher 27826->27827 27828 5b5787d KiUserExceptionDispatcher 27827->27828 27830 5b57a77 KiUserExceptionDispatcher 27828->27830 27832 5b57c62 27830->27832 27832->27475 27834 5b575bf 27833->27834 27835 5b5785e KiUserExceptionDispatcher 27834->27835 27836 5b5787d KiUserExceptionDispatcher 27835->27836 27838 5b57a77 KiUserExceptionDispatcher 27836->27838 27840 5b57c62 27838->27840 27840->27475 27842 5b577b3 KiUserExceptionDispatcher 27841->27842 27844 5b5787d KiUserExceptionDispatcher 27842->27844 27846 5b57a77 KiUserExceptionDispatcher 27844->27846 27848 5b57c62 27846->27848 27848->27475 27850 5b579b9 KiUserExceptionDispatcher 27849->27850 27852 5b57a77 KiUserExceptionDispatcher 27850->27852 27854 5b57c62 27852->27854 27854->27475 27856 5b57a4d KiUserExceptionDispatcher 27855->27856 27858 5b57a77 KiUserExceptionDispatcher 27856->27858 27860 5b57c62 27858->27860 27860->27475 27862 5b5764d 27861->27862 27863 5b5785e KiUserExceptionDispatcher 27862->27863 27864 5b5787d KiUserExceptionDispatcher 27863->27864 27866 5b57a77 KiUserExceptionDispatcher 27864->27866 27868 5b57c62 27866->27868 27868->27475 27870 5b57349 27869->27870 27871 5b5785e KiUserExceptionDispatcher 27870->27871 27872 5b5787d KiUserExceptionDispatcher 27871->27872 27874 5b57a77 KiUserExceptionDispatcher 27872->27874 27876 5b57c62 27874->27876 27876->27475

                                            Executed Functions

                                            Function 05B57083 Relevance: 4.8, APIs: 3, Instructions: 347COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 250 5b57083-5b576a8 395 5b576a8 call 5b5f192 250->395 396 5b576a8 call 5b5f198 250->396 320 5b576ae-5b576ef 397 5b576ef call 5b5f914 320->397 398 5b576ef call 5b5f677 320->398 399 5b576ef call 5b5f192 320->399 400 5b576ef call 5b5fa6f 320->400 401 5b576ef call 5b5f198 320->401 323 5b576f5-5b57736 393 5b57736 call 5b5fb30 323->393 394 5b57736 call 5b5fad0 323->394 326 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 390 5b57d7e-5b57dcf 326->390 393->326 394->326 395->320 396->320 397->323 398->323 399->323 400->323 401->323
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 81a3c865ab8abb0a3b5a6bda4b39e6b0e6e9deeaa663a4485d70895ce8aec31a
                                            • Instruction ID: 500e75551672c509e63d6a078004c6981466340688290c7ca917a2b97058f715
                                            • Opcode Fuzzy Hash: 81a3c865ab8abb0a3b5a6bda4b39e6b0e6e9deeaa663a4485d70895ce8aec31a
                                            • Instruction Fuzzy Hash: D102B638A45258CFCB65EF20D98CA99B7B2FF49355F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57062 Relevance: 4.8, APIs: 3, Instructions: 347COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 98 5b57062-5b576a8 241 5b576a8 call 5b5f192 98->241 242 5b576a8 call 5b5f198 98->242 168 5b576ae-5b576ef 243 5b576ef call 5b5f914 168->243 244 5b576ef call 5b5f677 168->244 245 5b576ef call 5b5f192 168->245 246 5b576ef call 5b5fa6f 168->246 247 5b576ef call 5b5f198 168->247 171 5b576f5-5b57736 248 5b57736 call 5b5fb30 171->248 249 5b57736 call 5b5fad0 171->249 174 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 238 5b57d7e-5b57dcf 174->238 241->168 242->168 243->171 244->171 245->171 246->171 247->171 248->174 249->174
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 0f5a4919da5ee8039d6dc9f755de11afaae1ff9c5c9332c0379b44e6574a3903
                                            • Instruction ID: d35c30016a41be39f101a4f45c9945fe9d0c2e52d29474c6fbdac475d931d006
                                            • Opcode Fuzzy Hash: 0f5a4919da5ee8039d6dc9f755de11afaae1ff9c5c9332c0379b44e6574a3903
                                            • Instruction Fuzzy Hash: 8002C738A45258CFCB65EF20D98CA99B7B2FF49356F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B570CA Relevance: 4.8, APIs: 3, Instructions: 338COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 402 5b570ca-5b576a8 542 5b576a8 call 5b5f192 402->542 543 5b576a8 call 5b5f198 402->543 469 5b576ae-5b576ef 544 5b576ef call 5b5f914 469->544 545 5b576ef call 5b5f677 469->545 546 5b576ef call 5b5f192 469->546 547 5b576ef call 5b5fa6f 469->547 548 5b576ef call 5b5f198 469->548 472 5b576f5-5b57736 549 5b57736 call 5b5fb30 472->549 550 5b57736 call 5b5fad0 472->550 475 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 539 5b57d7e-5b57dcf 475->539 542->469 543->469 544->472 545->472 546->472 547->472 548->472 549->475 550->475
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: e2cc6bd683ea022cf100c00f84e02613fad8ed51a2b29e80c9b6b0823abd0c4e
                                            • Instruction ID: 4dcbf38ea4cfdc5953c47d3123ab6968fd7ad840d8cc9164c95538a0e8ec9ebf
                                            • Opcode Fuzzy Hash: e2cc6bd683ea022cf100c00f84e02613fad8ed51a2b29e80c9b6b0823abd0c4e
                                            • Instruction Fuzzy Hash: 0D02B638A45258CFCB65EF20D98CA99B7B2FF49356F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57108 Relevance: 4.8, APIs: 3, Instructions: 333COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 551 5b57108-5b576a8 688 5b576a8 call 5b5f192 551->688 689 5b576a8 call 5b5f198 551->689 615 5b576ae-5b576ef 690 5b576ef call 5b5f914 615->690 691 5b576ef call 5b5f677 615->691 692 5b576ef call 5b5f192 615->692 693 5b576ef call 5b5fa6f 615->693 694 5b576ef call 5b5f198 615->694 618 5b576f5-5b57736 695 5b57736 call 5b5fb30 618->695 696 5b57736 call 5b5fad0 618->696 621 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 685 5b57d7e-5b57dcf 621->685 688->615 689->615 690->618 691->618 692->618 693->618 694->618 695->621 696->621
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 83dbd2752c361a1286db6a281301deec094d61a623704f2766f462ca48b240ca
                                            • Instruction ID: b15db305d5839248038f40057e2f961421b1b34dea6aec8c7048453605e50846
                                            • Opcode Fuzzy Hash: 83dbd2752c361a1286db6a281301deec094d61a623704f2766f462ca48b240ca
                                            • Instruction Fuzzy Hash: 3E02B738A45268CFCB65EF20D98CA99B7B2FF49355F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B5714F Relevance: 4.8, APIs: 3, Instructions: 324COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 697 5b5714f-5b576a8 831 5b576a8 call 5b5f192 697->831 832 5b576a8 call 5b5f198 697->832 758 5b576ae-5b576ef 833 5b576ef call 5b5f914 758->833 834 5b576ef call 5b5f677 758->834 835 5b576ef call 5b5f192 758->835 836 5b576ef call 5b5fa6f 758->836 837 5b576ef call 5b5f198 758->837 761 5b576f5-5b57736 838 5b57736 call 5b5fb30 761->838 839 5b57736 call 5b5fad0 761->839 764 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 828 5b57d7e-5b57dcf 764->828 831->758 832->758 833->761 834->761 835->761 836->761 837->761 838->764 839->764
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 7b1e9542f5c320f0c375bc69671c6cf0b5af7f023a73bbe985d5e9d8fe1b5e9f
                                            • Instruction ID: fa4d48fd61a144d12ce5f787f51d16589603996ee608abe99fb5cdfe7cd46b9e
                                            • Opcode Fuzzy Hash: 7b1e9542f5c320f0c375bc69671c6cf0b5af7f023a73bbe985d5e9d8fe1b5e9f
                                            • Instruction Fuzzy Hash: 3A02B738A05258CFCB65EF20D98CA99B7B2FF49356F1041E9DA0A57340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B5718D Relevance: 4.8, APIs: 3, Instructions: 319COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 840 5b5718d-5b576a8 971 5b576a8 call 5b5f192 840->971 972 5b576a8 call 5b5f198 840->972 898 5b576ae-5b576ef 973 5b576ef call 5b5f914 898->973 974 5b576ef call 5b5f677 898->974 975 5b576ef call 5b5f192 898->975 976 5b576ef call 5b5fa6f 898->976 977 5b576ef call 5b5f198 898->977 901 5b576f5-5b57736 978 5b57736 call 5b5fb30 901->978 979 5b57736 call 5b5fad0 901->979 904 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 968 5b57d7e-5b57dcf 904->968 971->898 972->898 973->901 974->901 975->901 976->901 977->901 978->904 979->904
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 507c97cb0e0f9d97ecfc03e48832938c623dee99d6c3b89f88e58260f6e90d4d
                                            • Instruction ID: b870c98156e9aa21d68b1b04bdbbe013dc7622beae9d5619a4a04c55d0eab254
                                            • Opcode Fuzzy Hash: 507c97cb0e0f9d97ecfc03e48832938c623dee99d6c3b89f88e58260f6e90d4d
                                            • Instruction Fuzzy Hash: 78F1B638A05258CFCB65EF20D98CA99BBB2FF49356F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B571D4 Relevance: 4.8, APIs: 3, Instructions: 312COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 980 5b571d4-5b576a8 1110 5b576a8 call 5b5f192 980->1110 1111 5b576a8 call 5b5f198 980->1111 1035 5b576ae-5b576ef 1112 5b576ef call 5b5f914 1035->1112 1113 5b576ef call 5b5f677 1035->1113 1114 5b576ef call 5b5f192 1035->1114 1115 5b576ef call 5b5fa6f 1035->1115 1116 5b576ef call 5b5f198 1035->1116 1038 5b576f5-5b57736 1108 5b57736 call 5b5fb30 1038->1108 1109 5b57736 call 5b5fad0 1038->1109 1041 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 1105 5b57d7e-5b57dcf 1041->1105 1108->1041 1109->1041 1110->1035 1111->1035 1112->1038 1113->1038 1114->1038 1115->1038 1116->1038
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: ad5b762baee9091e06bd1e4e73470ee60fce9936b5fa35a728a21fff255105c0
                                            • Instruction ID: 9b42dd3fbf85b14488baa683308abd24d0bc7418398a27b9f485ac5681843eaf
                                            • Opcode Fuzzy Hash: ad5b762baee9091e06bd1e4e73470ee60fce9936b5fa35a728a21fff255105c0
                                            • Instruction Fuzzy Hash: B7F1B678A05258CFCB65EF20D98CA99BBB2FF49356F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B5721B Relevance: 4.8, APIs: 3, Instructions: 305COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1117 5b5721b-5b576a8 1242 5b576a8 call 5b5f192 1117->1242 1243 5b576a8 call 5b5f198 1117->1243 1169 5b576ae-5b576ef 1244 5b576ef call 5b5f914 1169->1244 1245 5b576ef call 5b5f677 1169->1245 1246 5b576ef call 5b5f192 1169->1246 1247 5b576ef call 5b5fa6f 1169->1247 1248 5b576ef call 5b5f198 1169->1248 1172 5b576f5-5b57736 1249 5b57736 call 5b5fb30 1172->1249 1250 5b57736 call 5b5fad0 1172->1250 1175 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 1239 5b57d7e-5b57dcf 1175->1239 1242->1169 1243->1169 1244->1172 1245->1172 1246->1172 1247->1172 1248->1172 1249->1175 1250->1175
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: e9730ae5a4e306779f7303b33e10eca7838a3b07d48acbbb6e684b90f0c8bada
                                            • Instruction ID: ef9419a9c440fa3e899694876b2a1a1d0b591cee74298116fbf0af01027da7ca
                                            • Opcode Fuzzy Hash: e9730ae5a4e306779f7303b33e10eca7838a3b07d48acbbb6e684b90f0c8bada
                                            • Instruction Fuzzy Hash: 01F1B638A15258CFCB65EF20D98CA99BBB2FF49356F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57262 Relevance: 4.8, APIs: 3, Instructions: 298COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1251 5b57262-5b576a8 1375 5b576a8 call 5b5f192 1251->1375 1376 5b576a8 call 5b5f198 1251->1376 1300 5b576ae-5b576ef 1377 5b576ef call 5b5f914 1300->1377 1378 5b576ef call 5b5f677 1300->1378 1379 5b576ef call 5b5f192 1300->1379 1380 5b576ef call 5b5fa6f 1300->1380 1381 5b576ef call 5b5f198 1300->1381 1303 5b576f5-5b57736 1373 5b57736 call 5b5fb30 1303->1373 1374 5b57736 call 5b5fad0 1303->1374 1306 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 1370 5b57d7e-5b57dcf 1306->1370 1373->1306 1374->1306 1375->1300 1376->1300 1377->1303 1378->1303 1379->1303 1380->1303 1381->1303
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: ab1955301cc4bec3fa38b049f11a913365fdac9d97e96834e44cc381fbf34584
                                            • Instruction ID: 253b4b827e9154d4ddd719d5a4cbe5696411c278554076f467da0145318c7863
                                            • Opcode Fuzzy Hash: ab1955301cc4bec3fa38b049f11a913365fdac9d97e96834e44cc381fbf34584
                                            • Instruction Fuzzy Hash: FDF1B738A05258CFCB65EF20D98CA99BBB2FF49355F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B572A9 Relevance: 4.8, APIs: 3, Instructions: 291COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1382 5b572a9-5b576a8 1501 5b576a8 call 5b5f192 1382->1501 1502 5b576a8 call 5b5f198 1382->1502 1428 5b576ae-5b576ef 1503 5b576ef call 5b5f914 1428->1503 1504 5b576ef call 5b5f677 1428->1504 1505 5b576ef call 5b5f192 1428->1505 1506 5b576ef call 5b5fa6f 1428->1506 1507 5b576ef call 5b5f198 1428->1507 1431 5b576f5-5b57736 1508 5b57736 call 5b5fb30 1431->1508 1509 5b57736 call 5b5fad0 1431->1509 1434 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 1498 5b57d7e-5b57dcf 1434->1498 1501->1428 1502->1428 1503->1431 1504->1431 1505->1431 1506->1431 1507->1431 1508->1434 1509->1434
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: bab8e94c79fe7ed9704dab70114f62370e8f9a53a0919209ee0d88d0e0fb5bb8
                                            • Instruction ID: 21cfa15828f9f15d66c035a97d266202f1507b337569785ac4a1419f97f0e94d
                                            • Opcode Fuzzy Hash: bab8e94c79fe7ed9704dab70114f62370e8f9a53a0919209ee0d88d0e0fb5bb8
                                            • Instruction Fuzzy Hash: 0DE1B638A45258CFCB65EF20D98CA99BBB2FF49356F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B572F0 Relevance: 4.8, APIs: 3, Instructions: 284COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1510 5b572f0-5b576a8 1626 5b576a8 call 5b5f192 1510->1626 1627 5b576a8 call 5b5f198 1510->1627 1553 5b576ae-5b576ef 1628 5b576ef call 5b5f914 1553->1628 1629 5b576ef call 5b5f677 1553->1629 1630 5b576ef call 5b5f192 1553->1630 1631 5b576ef call 5b5fa6f 1553->1631 1632 5b576ef call 5b5f198 1553->1632 1556 5b576f5-5b57736 1633 5b57736 call 5b5fb30 1556->1633 1634 5b57736 call 5b5fad0 1556->1634 1559 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 1623 5b57d7e-5b57dcf 1559->1623 1626->1553 1627->1553 1628->1556 1629->1556 1630->1556 1631->1556 1632->1556 1633->1559 1634->1559
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 66a1c3e1fa7b05b12edab15e97cbbc9d4809804773b30472debb7c632db3cca1
                                            • Instruction ID: 457ac4aa317f3e3868b6953f8234d3d8c704881ec0e0cd1324472316b5a14d1f
                                            • Opcode Fuzzy Hash: 66a1c3e1fa7b05b12edab15e97cbbc9d4809804773b30472debb7c632db3cca1
                                            • Instruction Fuzzy Hash: F4E1B638A05258CFCB65EF24D98CA99BBB2FF49356F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57337 Relevance: 4.8, APIs: 3, Instructions: 277COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1635 5b57337-5b576a8 1748 5b576a8 call 5b5f192 1635->1748 1749 5b576a8 call 5b5f198 1635->1749 1675 5b576ae-5b576ef 1750 5b576ef call 5b5f914 1675->1750 1751 5b576ef call 5b5f677 1675->1751 1752 5b576ef call 5b5f192 1675->1752 1753 5b576ef call 5b5fa6f 1675->1753 1754 5b576ef call 5b5f198 1675->1754 1678 5b576f5-5b57736 1755 5b57736 call 5b5fb30 1678->1755 1756 5b57736 call 5b5fad0 1678->1756 1681 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 1745 5b57d7e-5b57dcf 1681->1745 1748->1675 1749->1675 1750->1678 1751->1678 1752->1678 1753->1678 1754->1678 1755->1681 1756->1681
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 540295469312299c3fa19a9c6a61314bcef0b8c9f5d100632b774fad155e5faa
                                            • Instruction ID: ef237ccd9135f419dc660dd61a0ca05176106f31ac091b57b4663044b14007af
                                            • Opcode Fuzzy Hash: 540295469312299c3fa19a9c6a61314bcef0b8c9f5d100632b774fad155e5faa
                                            • Instruction Fuzzy Hash: E1E1B638A05258CFCB65EF24D98CA99BBB2FF49356F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B5737E Relevance: 4.8, APIs: 3, Instructions: 270COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1757 5b5737e-5b576a8 1867 5b576a8 call 5b5f192 1757->1867 1868 5b576a8 call 5b5f198 1757->1868 1794 5b576ae-5b576ef 1869 5b576ef call 5b5f914 1794->1869 1870 5b576ef call 5b5f677 1794->1870 1871 5b576ef call 5b5f192 1794->1871 1872 5b576ef call 5b5fa6f 1794->1872 1873 5b576ef call 5b5f198 1794->1873 1797 5b576f5-5b57736 1874 5b57736 call 5b5fb30 1797->1874 1875 5b57736 call 5b5fad0 1797->1875 1800 5b5773c-5b57d78 KiUserExceptionDispatcher * 3 1864 5b57d7e-5b57dcf 1800->1864 1867->1794 1868->1794 1869->1797 1870->1797 1871->1797 1872->1797 1873->1797 1874->1800 1875->1800
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 73865e4ac6e282814fb12b0ae1e33ebf66003e7d23c5701ddf621a6fbc4b0608
                                            • Instruction ID: 881887d6eebd7ce38474eb8aefd8cb8ece6faaae2dd3bc779148736dff748661
                                            • Opcode Fuzzy Hash: 73865e4ac6e282814fb12b0ae1e33ebf66003e7d23c5701ddf621a6fbc4b0608
                                            • Instruction Fuzzy Hash: 98E1B638A05258CFCB65EF20D98CA99BBB2FF49356F1041E9DA0A67340CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B573C5 Relevance: 4.8, APIs: 3, Instructions: 263COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 0d521234c34788bde0e935b444609211e362eee884a3fbebc87e0097fd491fa4
                                            • Instruction ID: 5c8bcb63a7ec537745529d91b1a1f2acff653aedf8af7bacc71aec36e2da2b59
                                            • Opcode Fuzzy Hash: 0d521234c34788bde0e935b444609211e362eee884a3fbebc87e0097fd491fa4
                                            • Instruction Fuzzy Hash: 37D1A538A05258CFCB65EF24D98CA99BBB2FF49356F1041E9DA0A67240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B5740C Relevance: 4.8, APIs: 3, Instructions: 256COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: e94a9c0ced278043253fa36b5b140cd450c45fd6a587cbf7dffcb8e8fb3dc9fd
                                            • Instruction ID: 48aeb925aade6a7490637b321e7a2134fe84cc651b95d8a4b4d0a39dd585f3ee
                                            • Opcode Fuzzy Hash: e94a9c0ced278043253fa36b5b140cd450c45fd6a587cbf7dffcb8e8fb3dc9fd
                                            • Instruction Fuzzy Hash: 18D1A538A05258CFCB65EF24D98CA99BBB2FF49356F1041E9DA0A67240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57453 Relevance: 4.7, APIs: 3, Instructions: 249COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: c813c32a149acaf45bc04c5b0601492ec06aed8b78e266f1aa038fc5efa117ea
                                            • Instruction ID: e35f02ac5ca9d7cd9e61da6f9137cd849f3ff75222554098323899b6af029aa2
                                            • Opcode Fuzzy Hash: c813c32a149acaf45bc04c5b0601492ec06aed8b78e266f1aa038fc5efa117ea
                                            • Instruction Fuzzy Hash: D1D1A538A05258CFCB65EF24D98CA99B7B2FF49356F1041E9DA0E67240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B5749A Relevance: 4.7, APIs: 3, Instructions: 242COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 299f18e774402573bf95a9b7a3d96471c61bfe9a44f95e758183484cc76166cd
                                            • Instruction ID: 8c3015b152064a3d1ecb083b5f848b36a52e7e5582eaf5c5eff166950e25226e
                                            • Opcode Fuzzy Hash: 299f18e774402573bf95a9b7a3d96471c61bfe9a44f95e758183484cc76166cd
                                            • Instruction Fuzzy Hash: E2C1A538A05268CFCB65EF24D98CA99B7B2FF49356F1041E9D90A67240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B574E1 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 2c088c1f7330b397562c5957b1af60aae5699b58cac80d87a9afe1f11f459ae8
                                            • Instruction ID: 9ae1e3dde86e193598bd96aa8835ab493275177b15076d5ccfd2d59e19125c46
                                            • Opcode Fuzzy Hash: 2c088c1f7330b397562c5957b1af60aae5699b58cac80d87a9afe1f11f459ae8
                                            • Instruction Fuzzy Hash: 7CC1A538A05268CFCB65EF24D98CA99B7B2FF49356F1041E9DA0A67240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B5751F Relevance: 4.7, APIs: 3, Instructions: 228COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 116c56baa6cf833f4794b8b75a0414f36651957b434241f28195f66eed3254cf
                                            • Instruction ID: 7c72e5d5d0149b85fe72f5900590eb47c762070effa96612554699fee29bd9b9
                                            • Opcode Fuzzy Hash: 116c56baa6cf833f4794b8b75a0414f36651957b434241f28195f66eed3254cf
                                            • Instruction Fuzzy Hash: 0FC1A538A05258CFCB65EF24D98CA99B7B2FF49356F1041E9D90A67240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57566 Relevance: 4.7, APIs: 3, Instructions: 221COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 081f3c05dba491db973be661cb30f7cf732709d627e9e6bed3e7953647860ccc
                                            • Instruction ID: 829a3c0fe99a730ace6a3deb6a0374735de97eacd6aaa0da4c90a216f9b80a25
                                            • Opcode Fuzzy Hash: 081f3c05dba491db973be661cb30f7cf732709d627e9e6bed3e7953647860ccc
                                            • Instruction Fuzzy Hash: 41B1A438A05268CFCB65EF24D98CA99BBB2FF49356F1041E9D90E67240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B575AD Relevance: 4.7, APIs: 3, Instructions: 214COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: d1bdb94e504368bf3c1e1d3eb6bc5b0548d7ce8a4410e4201b048b9c12c07d5d
                                            • Instruction ID: 54a7b1324fc8d90528432931a3547278193d450057e69fd5217ad9988ac128c7
                                            • Opcode Fuzzy Hash: d1bdb94e504368bf3c1e1d3eb6bc5b0548d7ce8a4410e4201b048b9c12c07d5d
                                            • Instruction Fuzzy Hash: DDB1A638A05268CFCB65EF24D98CA99B7B2FF49356F1041E9D90E67240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B575F4 Relevance: 4.7, APIs: 3, Instructions: 207COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 64d4524f1b25ee7aae3a75a1606004cbcfadb24e95b92546476b601f075eaa1f
                                            • Instruction ID: 112b600d15fc13fe33ba7e9a5a3a725a91ea1ad57a3d1d4fa9704be2a3ac5cde
                                            • Opcode Fuzzy Hash: 64d4524f1b25ee7aae3a75a1606004cbcfadb24e95b92546476b601f075eaa1f
                                            • Instruction Fuzzy Hash: 3CB19438A05268CFCB65EF24D98CA99B7B2FF49356F1041E9D90EA7240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B5763B Relevance: 4.7, APIs: 3, Instructions: 200COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 06c127a9e51ebd75eb677294fb0b3c244e95a528454f9139a99341071b85bdac
                                            • Instruction ID: 92fb97e86bcc21bf9bf5c4ef0427cb945ecc5f2b218b3267cba67b274111e0be
                                            • Opcode Fuzzy Hash: 06c127a9e51ebd75eb677294fb0b3c244e95a528454f9139a99341071b85bdac
                                            • Instruction Fuzzy Hash: ECA1A438A05268CFCB65EF24D98CA99B7B2FF49356F1041E9D90EA7240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57682 Relevance: 4.7, APIs: 3, Instructions: 193COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: eadb289ebdf8e26897bca05fb970b973d826daf2745c4bb68f1d371b002591b8
                                            • Instruction ID: 420a82ea359d09c3c857e6ed981dda153426651a1f7e10085863ac4cb4dd59ef
                                            • Opcode Fuzzy Hash: eadb289ebdf8e26897bca05fb970b973d826daf2745c4bb68f1d371b002591b8
                                            • Instruction Fuzzy Hash: FDA1A438A05268CFCB65EF24D98CA99B7B2FF49356F1041E9D90EA7240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B576C9 Relevance: 4.7, APIs: 3, Instructions: 186COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 06822c16c83231473d1e0acc90e3438d652ebca46fcb5eb7115749ba3a99c966
                                            • Instruction ID: d575427818a647d95a907671fb82f903ad3dd6dcc9f44721ad49c92bcad0a9e9
                                            • Opcode Fuzzy Hash: 06822c16c83231473d1e0acc90e3438d652ebca46fcb5eb7115749ba3a99c966
                                            • Instruction Fuzzy Hash: 60A1A438A05268CFCB65EF24D98CA99B7B2FF49356F1041E9D90AA7240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57710 Relevance: 4.7, APIs: 3, Instructions: 179COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 2ecf9d2f72b355327ef10813aee36faa02cd4eb400e6e8ac53494984589232ac
                                            • Instruction ID: 483afa6003837a335f18d8ee6e2e184646ce006d8e3a2dacb494ff4a63484302
                                            • Opcode Fuzzy Hash: 2ecf9d2f72b355327ef10813aee36faa02cd4eb400e6e8ac53494984589232ac
                                            • Instruction Fuzzy Hash: 4991B538A05268CFCB65EF20D98CA99B7B2FF49356F1041E9D90A67240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57757 Relevance: 4.7, APIs: 3, Instructions: 172COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 68f8df6ff832c7df88e0a901d6be809ab3c9a914c4d3f07f93d2858365cc15c8
                                            • Instruction ID: 17ef8fadbb2a109acef15bc95c98acc7e56747426ac2d82a63546c37fd025837
                                            • Opcode Fuzzy Hash: 68f8df6ff832c7df88e0a901d6be809ab3c9a914c4d3f07f93d2858365cc15c8
                                            • Instruction Fuzzy Hash: 8E91B438A05268CFCB65EF20D98CA99B7B2FF49356F1041E9D90AA7240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B577A1 Relevance: 4.7, APIs: 3, Instructions: 165COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 0e128cd9bce0fa587c687ad2d745f3ff38117da73bfa457c28fd6efc656c74d9
                                            • Instruction ID: 664a6ff1c028a2e042c5f2a8c0ced2951179cd1981ba3b896da0f9ec8c16f9e6
                                            • Opcode Fuzzy Hash: 0e128cd9bce0fa587c687ad2d745f3ff38117da73bfa457c28fd6efc656c74d9
                                            • Instruction Fuzzy Hash: FA81A338A05268CFCB65EF20D98CA99B7B2FF49356F1041E9D90AA7240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B577EB Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 7f422a0cf27eae86fbe6916b68f50d4764a5225bacd330bbdd1a5bf9fd6cbd56
                                            • Instruction ID: 34954858402fbba6e1f66da5e5354efb992cb18af335ca46b6030f88ab964b1e
                                            • Opcode Fuzzy Hash: 7f422a0cf27eae86fbe6916b68f50d4764a5225bacd330bbdd1a5bf9fd6cbd56
                                            • Instruction Fuzzy Hash: B381A338A05268CFCB65EF24D98CA99B7B2FF49356F1041E9D90AA7240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57835 Relevance: 4.7, APIs: 3, Instructions: 151COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B5785E
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 64809afc6eeaac10321577cf6fd0690b93cbbd4dc7ae10a164ab4682b4c29fa3
                                            • Instruction ID: dbb7aaffcccc083e72e5cd14d61711a985b5bc7381c65609637d0a4e8b5b1519
                                            • Opcode Fuzzy Hash: 64809afc6eeaac10321577cf6fd0690b93cbbd4dc7ae10a164ab4682b4c29fa3
                                            • Instruction Fuzzy Hash: 1D719338A05268CFCB65EF24D98CA99B7B2FF49356F1041E9D90AA7240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B5787F Relevance: 3.1, APIs: 2, Instructions: 144COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: b859c3bb13d0468729adf5ba99dd8ba21267e8ab563de96301381d346796d2ee
                                            • Instruction ID: 52763495bd2b26fd4f99ea3a501a03219dd2c8eb7ecaa4e7305dea1b59b93180
                                            • Opcode Fuzzy Hash: b859c3bb13d0468729adf5ba99dd8ba21267e8ab563de96301381d346796d2ee
                                            • Instruction Fuzzy Hash: 09719338A05268CFCB65EF24D98CA99B7B2FF49356F1041E9D90EA7240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B578C9 Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 70b9924d681138d508105f4057933d9d4bfd2d88541bdd97a0dbe945889e479e
                                            • Instruction ID: dec22f9feeb0bd1353811c3a5c3596f50dcaf22aa2283f3eed5cd4a098b14a67
                                            • Opcode Fuzzy Hash: 70b9924d681138d508105f4057933d9d4bfd2d88541bdd97a0dbe945889e479e
                                            • Instruction Fuzzy Hash: C8619138A05268CFCB65EF24D98CA99B7B2FF49356F1041E9D90EA7240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57913 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 0ca58191edc4949ed32813c086344cdc130ebb16a1f9f8c233ab0d7e3f45ac0d
                                            • Instruction ID: 6adee0842bdc5a920a43ed765e32e1a5a0756f661b8d7d615c59f589af08fb45
                                            • Opcode Fuzzy Hash: 0ca58191edc4949ed32813c086344cdc130ebb16a1f9f8c233ab0d7e3f45ac0d
                                            • Instruction Fuzzy Hash: 7C61A238A05268CFCB65EF24D98CA99B7B2FF49355F1041E9D90EA7240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B5795D Relevance: 3.1, APIs: 2, Instructions: 123COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 025d47a8f20b04fd6ff69aa6014c716f5c04ddb1a805b5d8dd2b48a4b7d92335
                                            • Instruction ID: b60bb3b601556602bbe7b6e6801166ac21673d8d03819dae844c52e4b7ebf001
                                            • Opcode Fuzzy Hash: 025d47a8f20b04fd6ff69aa6014c716f5c04ddb1a805b5d8dd2b48a4b7d92335
                                            • Instruction Fuzzy Hash: 4751A038A05268CFCB65EB24D98CA99BBB2FF49355F1041E9D90EA7240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B579A7 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: b2920bf94e299af94be23ac54e7dfa911a20d524a37b47f58f0cfab0d2eca6ca
                                            • Instruction ID: 76baea2338168b27063d1743ff3ab47af50e084d2ecdcaf4cc7d8174b6ffa3a2
                                            • Opcode Fuzzy Hash: b2920bf94e299af94be23ac54e7dfa911a20d524a37b47f58f0cfab0d2eca6ca
                                            • Instruction Fuzzy Hash: A651B238A05268CFCB65EF20D98CA99B7B2FF49355F1041E9D90EA7240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B579F1 Relevance: 3.1, APIs: 2, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 90dc3b28f14a4ac5e97694b145a8244ce34af8462bc97ae2ab72e4c1a40935ac
                                            • Instruction ID: 664d248eeeb16eb1711e6b05dc9d37a60d19e7383fc3845d51e3177f1e70c016
                                            • Opcode Fuzzy Hash: 90dc3b28f14a4ac5e97694b145a8244ce34af8462bc97ae2ab72e4c1a40935ac
                                            • Instruction Fuzzy Hash: 1451C238A05268CFCB65EB20D988A99B7B2FF49355F1041E9DA0EA7240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57A3B Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57A58
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: e6330f851d940a709bd02189cdb978ee47617fea31c95a228ec54130c0d1d243
                                            • Instruction ID: ea0756f4281e8de2a77a5eddecbef20fc651268d7f0a8cd71d0e104e68288c94
                                            • Opcode Fuzzy Hash: e6330f851d940a709bd02189cdb978ee47617fea31c95a228ec54130c0d1d243
                                            • Instruction Fuzzy Hash: C351C538A05268CFCB65EF20D98CA99B7B2FF49355F1041E9D90AA7240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57A79 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: f3fd3a0eda2f0a21f6e9bc67b02800b15175865a0ba39a4e399f670c40a6d42c
                                            • Instruction ID: 01ecdb8893f561ea411a277f9ade8fd76c05c4b95704ae1354b68c16ca111aeb
                                            • Opcode Fuzzy Hash: f3fd3a0eda2f0a21f6e9bc67b02800b15175865a0ba39a4e399f670c40a6d42c
                                            • Instruction Fuzzy Hash: 2A41D538A05268CFCB65EF20D98CA99B7B2FF49355F1041E9E90AA7240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F9C8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNELBASE(?), ref: 00F9C9BA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.690132466.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f90000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 6b7c44619ffe233130ed21fc7ec40019e6c1e6681bd16a4910f459bccc7cc301
                                            • Instruction ID: c07ccc5bd8d6ab73c79bd65a0751ab90ca2d76d45a0850a0be4bae31736d3b7b
                                            • Opcode Fuzzy Hash: 6b7c44619ffe233130ed21fc7ec40019e6c1e6681bd16a4910f459bccc7cc301
                                            • Instruction Fuzzy Hash: 1A3123B0D102499FEF14CFA8C895BDEBFB1BB09714F14852AE855AB380D7749885CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F99DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNELBASE(?), ref: 00F9C9BA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.690132466.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f90000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 48a36e3116ab318bfd6c9eaa80e8bb7c75493a29bfaf7fa29630f9d4e9074464
                                            • Instruction ID: c0452238b3816e0fbdd79d1097d183607b9c3990a78de1a6121e68c5a342b068
                                            • Opcode Fuzzy Hash: 48a36e3116ab318bfd6c9eaa80e8bb7c75493a29bfaf7fa29630f9d4e9074464
                                            • Instruction Fuzzy Hash: FE3142B0D102499FEF14CFA9C885B9EBFB1BB08714F14812AE815AB380D7789841CF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57AC3 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 7bc81aa0d0c122d0caa8ebf2ba8650d19b22dec2e606e3b57f9c9e04564f8536
                                            • Instruction ID: 79868a0e6bfe445a7ae57cbca59a6b64017837891b0edf24e5fe152496da22e8
                                            • Opcode Fuzzy Hash: 7bc81aa0d0c122d0caa8ebf2ba8650d19b22dec2e606e3b57f9c9e04564f8536
                                            • Instruction Fuzzy Hash: C441E638A05268CFCB65EF20D98CA99B7B2FF49355F1041E9D90A97240CF356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57B0D Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 46dc78ac8094261060baa061efed75474762e99ad3a83b5ee760572a2e486e13
                                            • Instruction ID: 0d2dd218e0e87bf0b50223f2ea681505d8fcdd7f34fdc29ec2e376cd80ff7f5f
                                            • Opcode Fuzzy Hash: 46dc78ac8094261060baa061efed75474762e99ad3a83b5ee760572a2e486e13
                                            • Instruction Fuzzy Hash: 4941E538A05268CFCB65EF20D98DA99B7B2FF49355F1041E9D90A97240CF356E81CF52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57B4B Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 893ab9248ec0ef51caf47780e358f471a113bcc48cddee7fdaa18f7321b9ae0d
                                            • Instruction ID: e96081ffff89ec4a0b2e41eeb4aba5352db5dc45f61a5935a17100694a52b8c4
                                            • Opcode Fuzzy Hash: 893ab9248ec0ef51caf47780e358f471a113bcc48cddee7fdaa18f7321b9ae0d
                                            • Instruction Fuzzy Hash: 1131E634A05228CFCB64EF24D98CA99B7B2FF49355F1041E9DA0A97240CB356E81CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57B95 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 32438cb424f49ef1a1f2a4c7a32c8a2afe81c7e645569831505fb2a150925907
                                            • Instruction ID: c140395106d3e43a5efe20d6a5458144a589ed03af2ef0494969cce942ad1038
                                            • Opcode Fuzzy Hash: 32438cb424f49ef1a1f2a4c7a32c8a2afe81c7e645569831505fb2a150925907
                                            • Instruction Fuzzy Hash: 9F31E434A01268CFCB65EF24D98DA99B7B2FF49355F1001E9D94AA7240CF356E81CF52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57BD3 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 8868f6d4f5a3fef4a4c349571e392bc678096c793f6082beebcc074b4790eaf2
                                            • Instruction ID: 1d172307b67e45fffa672b6434bd040868e6f525f0892ee9d2fb0ab47550a37f
                                            • Opcode Fuzzy Hash: 8868f6d4f5a3fef4a4c349571e392bc678096c793f6082beebcc074b4790eaf2
                                            • Instruction Fuzzy Hash: 6B31E534A01228CFCB64EF24D98DA99B7B2FF49355F1001E9D94AA7240CF356E81CF42
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F94CB9 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 00F94D42
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.690132466.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f90000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: b64ede749b5d73ede247196c605c525ce78ab847237e73b1de899783fa886627
                                            • Instruction ID: 1d784ab8d39f2998c2764e28cd34dfe9cef63d8fdb4a61cefdc3d1b5cbda70a3
                                            • Opcode Fuzzy Hash: b64ede749b5d73ede247196c605c525ce78ab847237e73b1de899783fa886627
                                            • Instruction Fuzzy Hash: 0121AE768013458FDF10DFA5D54879EBFF4FB54328F24806AD805A7641D7786506CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F94CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 00F94D42
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.690132466.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_f90000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 6638e1cfa9c3230afaf60af7b6dc7334437c83d4daff125c72894b0a60a71dfe
                                            • Instruction ID: 743781e37eee9695d286ee8b31af7704a8a2586a0be5dd55d799fcba9e438875
                                            • Opcode Fuzzy Hash: 6638e1cfa9c3230afaf60af7b6dc7334437c83d4daff125c72894b0a60a71dfe
                                            • Instruction Fuzzy Hash: 2711AC759013058FDF60DFA9D808B9EBFF8FB58724F24842AE804A7641D779A945CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05B57C1D Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05B57C46
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.692226113.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_5b50000_6iCD4aFtyn.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 41985102c3933a9ad82a9a67ea34643fafcaeb8e52762161d2a51729480705ce
                                            • Instruction ID: df62740f143ae6cabed071ff7d8f7b214fd8801cf451e8cd533ea3fa952cb821
                                            • Opcode Fuzzy Hash: 41985102c3933a9ad82a9a67ea34643fafcaeb8e52762161d2a51729480705ce
                                            • Instruction Fuzzy Hash: BC21E634A00228CFCB65DF24D88CA99B7B2FF49355F1001E9D94AA7240CF356E81CF52
                                            Uniqueness

                                            Uniqueness Score: -1.00%