Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xgnxoS8HWxonNHl.exe

Overview

General Information

Sample Name:xgnxoS8HWxonNHl.exe
Analysis ID:612101
MD5:56e4a7420f9a9fa987aba56b6f91fbcb
SHA1:31595356f127256829e137be2c28ab6f4788e76e
SHA256:12811d59e069011b7a1249365e515c8b63f21dd480cd955e2ec027aa2e3b80d8
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains very large array initializations
PE file has nameless sections
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • xgnxoS8HWxonNHl.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe" MD5: 56E4A7420F9A9FA987ABA56B6F91FBCB)
    • xgnxoS8HWxonNHl.exe (PID: 6736 cmdline: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe MD5: 56E4A7420F9A9FA987ABA56B6F91FBCB)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "umut@ormretsan.com", "Password": "AGjluYt1", "Host": "smtp.ormretsan.com"}
SourceRuleDescriptionAuthorStrings
00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000000.409181519.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries
            SourceRuleDescriptionAuthorStrings
            0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x2edfe:$s1: get_kbok
                • 0x2f741:$s2: get_CHoo
                • 0x3037b:$s3: set_passwordIsSet
                • 0x2ec02:$s4: get_enableLog
                • 0x33276:$s8: torbrowser
                • 0x31c52:$s10: logins
                • 0x315ca:$s11: credential
                • 0x2e023:$g1: get_Clipboard
                • 0x2e031:$g2: get_Keyboard
                • 0x2e03e:$g3: get_Password
                • 0x2f5e0:$g4: get_CtrlKeyDown
                • 0x2f5f0:$g5: get_ShiftKeyDown
                • 0x2f601:$g6: get_AltKeyDown
                3.2.xgnxoS8HWxonNHl.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.2.xgnxoS8HWxonNHl.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 28 entries

                    There are no malicious signatures, click here to show all signatures.

                    Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, CommandLine: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, NewProcessName: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, OriginalFileName: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, ParentCommandLine: "C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe" , ParentImage: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, ParentProcessId: 6420, ParentProcessName: xgnxoS8HWxonNHl.exe, ProcessCommandLine: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, ProcessId: 6736, ProcessName: xgnxoS8HWxonNHl.exe
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "umut@ormretsan.com", "Password": "AGjluYt1", "Host": "smtp.ormretsan.com"}
                    Source: xgnxoS8HWxonNHl.exeReversingLabs: Detection: 24%
                    Source: xgnxoS8HWxonNHl.exeJoe Sandbox ML: detected
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.2.xgnxoS8HWxonNHl.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_00B81628
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_00B81538
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_04BC657C
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ATRZqY.com
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.373157693.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comi)
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.372641423.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comily)
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372641423.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376637617.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.384487951.0000000007ABB000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.376696263.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.375942088.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376510155.0000000007AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers%
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.377016385.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376447774.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.375942088.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376447774.0000000007AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.377813742.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersY
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.384487951.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersc
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.377813742.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376069831.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersv
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376341670.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/i
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com4
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.411742228.0000000007A80000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419351318.0000000007A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsS?
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376341670.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comasF
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd~
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.411742228.0000000007A80000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419351318.0000000007A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comldTFM
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371387468.0000000007ABE000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371615251.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371351820.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371440220.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371503172.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371366282.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.371988138.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.371366282.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnttp
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/3
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.379946625.0000000007AB3000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comC
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comX
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comurs
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comz
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.373879871.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372072274.0000000007A84000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372094133.0000000007A8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.372478173.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownDNS traffic detected: queries for: smtp.ormretsan.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.412423872.00000000009D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.2.xgnxoS8HWxonNHl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.xgnxoS8HWxonNHl.exe.41ec0f8.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6736, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b373E7CD5u002d9659u002d43C8u002d8AADu002d068512C7055Eu007d/D11C88A7u002d4F14u002d4DD5u002d9314u002d3310C843C7AD.csLarge array initialization: .cctor: array initializer size 11949
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: section name:
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: section name: =hsS2-
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.2.xgnxoS8HWxonNHl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.xgnxoS8HWxonNHl.exe.41ec0f8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6736, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B823800_2_00B82380
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B834A80_2_00B834A8
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B8A4700_2_00B8A470
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B804720_2_00B80472
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B818470_2_00B81847
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B82B4A0_2_00B82B4A
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B82FB80_2_00B82FB8
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B851B80_2_00B851B8
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B851C80_2_00B851C8
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B822E10_2_00B822E1
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B866200_2_00B86620
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B866100_2_00B86610
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B868980_2_00B86898
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B868880_2_00B86888
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B85D380_2_00B85D38
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B85D290_2_00B85D29
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_04BC342C0_2_04BC342C
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_04BC54700_2_04BC5470
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_04BC54600_2_04BC5460
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_013946A03_2_013946A0
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_0139461F3_2_0139461F
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_0139D9803_2_0139D980
                    Source: xgnxoS8HWxonNHl.exeBinary or memory string: OriginalFilename vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.412423872.00000000009D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.417769097.00000000045A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDTuNaZxjHfMwnFJPQuCIUFoupH.exe4 vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.416424640.0000000003DA5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.414094284.00000000028D3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIntrospective.dll" vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDTuNaZxjHfMwnFJPQuCIUFoupH.exe4 vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exeBinary or memory string: OriginalFilename vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDTuNaZxjHfMwnFJPQuCIUFoupH.exe4 vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exeBinary or memory string: OriginalFilenameWindowsRuntimeBufferHel.exeN vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: Section: =hsS2- ZLIB complexity 1.00042941046
                    Source: xgnxoS8HWxonNHl.exeReversingLabs: Detection: 24%
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe "C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe"
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess created: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess created: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xgnxoS8HWxonNHl.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@2/0
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeMutant created: \Sessions\1\BaseNamedObjects\YVJBkCIQvfTzzbbrrZNFQ
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00272FC0 push 20062B25h; iretd 0_2_00272FC5
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_0110E332 push eax; ret 3_2_0110E349
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_0110D95C push eax; ret 3_2_0110D95D
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_0110E38A push eax; ret 3_2_0110E349
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: section name: =hsS2-
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: section name:
                    Source: initial sampleStatic PE information: section name: =hsS2- entropy: 7.99707331021
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.91748293352
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: Yara matchFile source: 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6420, type: MEMORYSTR
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 6312Thread sleep time: -45733s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 6384Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 4128Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 4128Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 6556Thread sleep count: 4675 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 6556Thread sleep count: 5149 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWindow / User API: threadDelayed 4675Jump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWindow / User API: threadDelayed 5149Jump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeThread delayed: delay time: 45733Jump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B81628 CheckRemoteDebuggerPresent,0_2_00B81628
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess created: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.xgnxoS8HWxonNHl.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.41ec0f8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.409181519.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.408520132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.627732273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6420, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6736, type: MEMORYSTR
                    Source: Yara matchFile source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6736, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.xgnxoS8HWxonNHl.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.41ec0f8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.409181519.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.408520132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.627732273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6420, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6736, type: MEMORYSTR
                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation
                    Path Interception11
                    Process Injection
                    1
                    Masquerading
                    1
                    Input Capture
                    321
                    Security Software Discovery
                    Remote Services1
                    Input Capture
                    Exfiltration Over Other Network Medium1
                    Encrypted Channel
                    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools
                    LSASS Memory1
                    Process Discovery
                    Remote Desktop Protocol11
                    Archive Collected Data
                    Exfiltration Over Bluetooth1
                    Non-Application Layer Protocol
                    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)141
                    Virtualization/Sandbox Evasion
                    Security Account Manager141
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Application Layer Protocol
                    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                    Process Injection
                    NTDS1
                    Application Window Discovery
                    Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information
                    LSA Secrets113
                    System Information Discovery
                    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common3
                    Obfuscated Files or Information
                    Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items4
                    Software Packing
                    DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    xgnxoS8HWxonNHl.exe24%ReversingLabsByteCode-MSIL.Trojan.Taskun
                    xgnxoS8HWxonNHl.exe100%Joe Sandbox ML
                    No Antivirus matches
                    SourceDetectionScannerLabelLinkDownload
                    3.0.xgnxoS8HWxonNHl.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.xgnxoS8HWxonNHl.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    3.2.xgnxoS8HWxonNHl.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.xgnxoS8HWxonNHl.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.xgnxoS8HWxonNHl.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.comC0%Avira URL Cloudsafe
                    http://www.fontbureau.comasF0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnttp0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.fontbureau.com40%Avira URL Cloudsafe
                    http://www.sajatypeworks.comX0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.fontbureau.comldTFM0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    http://www.fontbureau.comcomd0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://www.fontbureau.comd~0%Avira URL Cloudsafe
                    http://www.sajatypeworks.comz0%Avira URL Cloudsafe
                    http://www.carterandcone.comily)0%Avira URL Cloudsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.comd0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.fontbureau.comalsS?0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cna0%URL Reputationsafe
                    http://www.galapagosdesign.com/30%Avira URL Cloudsafe
                    http://www.sajatypeworks.comurs0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.carterandcone.comi)0%Avira URL Cloudsafe
                    http://ATRZqY.com0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    162.222.225.16
                    truefalse
                      high
                      smtp.ormretsan.com
                      unknown
                      unknowntrue
                        unknown
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://www.fontbureau.com/designersGxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.fontbureau.com/designers/?xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/bThexgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers?xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.fontbureau.com/designersBxgnxoS8HWxonNHl.exe, 00000000.00000003.376447774.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.375942088.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.fontbureau.com/designersYxgnxoS8HWxonNHl.exe, 00000000.00000003.377813742.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.tiro.comxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372072274.0000000007A84000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372094133.0000000007A8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designersxgnxoS8HWxonNHl.exe, 00000000.00000003.376637617.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.384487951.0000000007ABB000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.376696263.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.375942088.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.fontbureau.comessedxgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.goodfont.co.krxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.sajatypeworks.comCxgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.fontbureau.comasFxgnxoS8HWxonNHl.exe, 00000000.00000003.376341670.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.fontbureau.com/designersPxgnxoS8HWxonNHl.exe, 00000000.00000003.376447774.0000000007AB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.founder.com.cn/cnttpxgnxoS8HWxonNHl.exe, 00000000.00000003.371366282.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.sajatypeworks.comxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.typography.netDxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.founder.com.cn/cn/cThexgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmxgnxoS8HWxonNHl.exe, 00000000.00000003.379946625.0000000007AB3000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://fontfabrik.comxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com4xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.sajatypeworks.comXxgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fontbureau.com/designerscxgnxoS8HWxonNHl.exe, 00000000.00000003.384487951.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.galapagosdesign.com/DPleasexgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://api.ipify.org%GETMozilla/5.0xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        low
                                        http://www.fontbureau.com/designersvxgnxoS8HWxonNHl.exe, 00000000.00000003.376069831.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.fonts.comxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.sandoll.co.krxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.urwpp.deDPleasexgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.zhongyicts.com.cnxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.sakkal.comxgnxoS8HWxonNHl.exe, 00000000.00000003.373879871.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.comldTFMxgnxoS8HWxonNHl.exe, 00000000.00000003.411742228.0000000007A80000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419351318.0000000007A80000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipxgnxoS8HWxonNHl.exe, 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.com/designerssxgnxoS8HWxonNHl.exe, 00000000.00000003.377813742.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.apache.org/licenses/LICENSE-2.0xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.fontbureau.comxgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.galapagosdesign.com/xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://DynDns.comDynDNSxgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.comFxgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.comcomdxgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haxgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.com/ixgnxoS8HWxonNHl.exe, 00000000.00000003.376341670.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.fontbureau.comd~xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    low
                                                    http://www.sajatypeworks.comzxgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.carterandcone.comily)xgnxoS8HWxonNHl.exe, 00000000.00000003.372641423.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    low
                                                    http://www.fontbureau.comaxgnxoS8HWxonNHl.exe, 00000000.00000003.411742228.0000000007A80000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419351318.0000000007A80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.comdxgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.carterandcone.comlxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372641423.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.founder.com.cn/cn/xgnxoS8HWxonNHl.exe, 00000000.00000003.371988138.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.fontbureau.comalsS?xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.founder.com.cn/cnxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371387468.0000000007ABE000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371615251.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371351820.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371440220.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371503172.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371366282.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.zhongyicts.com.cnaxgnxoS8HWxonNHl.exe, 00000000.00000003.372478173.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.galapagosdesign.com/3xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlxgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.fontbureau.com/designers%xgnxoS8HWxonNHl.exe, 00000000.00000003.376510155.0000000007AB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://www.sajatypeworks.comursxgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.jiyu-kobo.co.jp/xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers8xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.377016385.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://www.carterandcone.comi)xgnxoS8HWxonNHl.exe, 00000000.00000003.373157693.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              low
                                                              http://ATRZqY.comxgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              No contacted IP infos
                                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                                              Analysis ID:612101
                                                              Start date and time: 20/04/202215:13:322022-04-20 15:13:32 +02:00
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 9m 48s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Sample file name:xgnxoS8HWxonNHl.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:18
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@3/1@2/0
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HDC Information:
                                                              • Successful, ratio: 1.1% (good quality ratio 0.7%)
                                                              • Quality average: 42.4%
                                                              • Quality standard deviation: 36.8%
                                                              HCA Information:
                                                              • Successful, ratio: 98%
                                                              • Number of executed functions: 46
                                                              • Number of non-executed functions: 12
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • VT rate limit hit for: xgnxoS8HWxonNHl.exe
                                                              TimeTypeDescription
                                                              15:15:00API Interceptor516x Sleep call for process: xgnxoS8HWxonNHl.exe modified
                                                              No context
                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              us2.smtp.mailhostbox.comMT HAVVA ANA PARTICULARS.docx.exeGet hashmaliciousBrowse
                                                              • 162.222.225.16
                                                              Stetement of Accounts.exeGet hashmaliciousBrowse
                                                              • 208.91.198.46
                                                              TT $37,000 30% advance payment. USB793TIO389.exeGet hashmaliciousBrowse
                                                              • 162.222.225.58
                                                              Document.exeGet hashmaliciousBrowse
                                                              • 162.222.225.58
                                                              NEW ORDER.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              Swift Copy.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              PO2231087.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              Agency appointmentDH CONCORD V2106 CALL for loading MEK 2500MT_pdf.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              Schermata 2022-04-12 alle 08.59.10.pdf.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              QN663335.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              bKGknvCBs4.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              k1d.exeGet hashmaliciousBrowse
                                                              • 208.91.199.225
                                                              RFQ-GL51L0.xlsxGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              PART SHIPMENT-FEDEX- cargo Arrival Notification Import Track No 283738293737 MR V FKUMAR.exeGet hashmaliciousBrowse
                                                              • 208.91.199.225
                                                              Quote022422.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              Transfer Copy.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              Swift.exeGet hashmaliciousBrowse
                                                              • 208.91.199.225
                                                              COMMERCIAL INVOICE, BILL OF LADING, ETC DOC.xlsxGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              Klsv7h9ReF.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              Id6e8gK5nC.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              No context
                                                              No context
                                                              No context
                                                              Process:C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1308
                                                              Entropy (8bit):5.345811588615766
                                                              Encrypted:false
                                                              SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzu
                                                              MD5:36C0A7F32E757FCBECED4EB6FC3C922C
                                                              SHA1:939BED45186769E4D878B9A44420CE140445F2CB
                                                              SHA-256:C85B76D06B14DE0D203F30A03BA1D26F17BA9970FE8491AB00A1ED1C0DEC9989
                                                              SHA-512:F0C308E83AE3FB61E9A7AA68E2CA54D9D48027DF1E8D8092C1FA61600555005675063F377C50572C34A39E8CC77FC044EAF2BC31D5C08DC46446C38F4433DF18
                                                              Malicious:true
                                                              Reputation:moderate, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.923008451625047
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                              • Win32 Executable (generic) a (10002005/4) 49.96%
                                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              File name:xgnxoS8HWxonNHl.exe
                                                              File size:707584
                                                              MD5:56e4a7420f9a9fa987aba56b6f91fbcb
                                                              SHA1:31595356f127256829e137be2c28ab6f4788e76e
                                                              SHA256:12811d59e069011b7a1249365e515c8b63f21dd480cd955e2ec027aa2e3b80d8
                                                              SHA512:db8da513d2de747f9e75294952e9c4087b0f5d3c0aa3dfc2735022f784a4205d2eacd78e15c192fda19c344d352bc7d3181fb5bc71dabcab898bcf77324d0824
                                                              SSDEEP:12288:d1PHUMvd+OT+Aooafb45NmrNm2+oMFYlY2BUV3vIr9yhDS/PUn3It9DIi96KASyx:dBU2oAqk/hYR0/IIhDSk3o9R6KASe
                                                              TLSH:42E4F19C326032EFC86BC076CEA86CB8EAA574BB971B57039417059DDE4D987CF150B2
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._b..............0......,....... ...@... ....@.. .......................@............@................................
                                                              Icon Hash:0000000000000000
                                                              Entrypoint:0x4b200a
                                                              Entrypoint Section:
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0x625FC909 [Wed Apr 20 08:49:13 2022 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                              Instruction
                                                              jmp dword ptr [004B2000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x148700x4b.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000xf78.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0xb20000x8
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x140000x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              =hsS2-0x20000x118e40x11a00False1.00042941046data7.99707331021IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                              .text0x140000x999180x99a00False0.920395456164data7.91748293352IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xae0000xf780x1000False0.5673828125data6.3429053765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xb00000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                              0xb20000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              NameRVASizeTypeLanguageCountry
                                                              RT_ICON0xae1300x8a5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                              RT_GROUP_ICON0xae9d80x14data
                                                              RT_VERSION0xae9ec0x39cdata
                                                              RT_MANIFEST0xaed880x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                              DLLImport
                                                              mscoree.dll_CorExeMain
                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightTelemarketer
                                                              Assembly Version0.0.6.0
                                                              InternalNameWindowsRuntimeBufferHel.exe
                                                              FileVersion1.0.3.0
                                                              CompanyNameTelemarketer
                                                              LegalTrademarks
                                                              Comments
                                                              ProductNameVisual N-Queens Solver
                                                              ProductVersion1.0.3.0
                                                              FileDescriptionVisual N-Queens Solver
                                                              OriginalFilenameWindowsRuntimeBufferHel.exe
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Apr 20, 2022 15:16:58.594237089 CEST5675853192.168.2.78.8.8.8
                                                              Apr 20, 2022 15:16:58.798269033 CEST53567588.8.8.8192.168.2.7
                                                              Apr 20, 2022 15:16:58.803100109 CEST6238153192.168.2.78.8.8.8
                                                              Apr 20, 2022 15:16:58.821592093 CEST53623818.8.8.8192.168.2.7
                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Apr 20, 2022 15:16:58.594237089 CEST192.168.2.78.8.8.80xe33Standard query (0)smtp.ormretsan.comA (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.803100109 CEST192.168.2.78.8.8.80xaf7fStandard query (0)smtp.ormretsan.comA (IP address)IN (0x0001)
                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Apr 20, 2022 15:16:58.798269033 CEST8.8.8.8192.168.2.70xe33No error (0)smtp.ormretsan.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.798269033 CEST8.8.8.8192.168.2.70xe33No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.798269033 CEST8.8.8.8192.168.2.70xe33No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.798269033 CEST8.8.8.8192.168.2.70xe33No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.798269033 CEST8.8.8.8192.168.2.70xe33No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.821592093 CEST8.8.8.8192.168.2.70xaf7fNo error (0)smtp.ormretsan.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.821592093 CEST8.8.8.8192.168.2.70xaf7fNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.821592093 CEST8.8.8.8192.168.2.70xaf7fNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.821592093 CEST8.8.8.8192.168.2.70xaf7fNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.821592093 CEST8.8.8.8192.168.2.70xaf7fNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)

                                                              Click to jump to process

                                                              Click to jump to process

                                                              Click to dive into process behavior distribution

                                                              Click to jump to process

                                                              Target ID:0
                                                              Start time:15:14:48
                                                              Start date:20/04/2022
                                                              Path:C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe"
                                                              Imagebase:0x270000
                                                              File size:707584 bytes
                                                              MD5 hash:56E4A7420F9A9FA987ABA56B6F91FBCB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Target ID:3
                                                              Start time:15:15:08
                                                              Start date:20/04/2022
                                                              Path:C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                                                              Imagebase:0xa70000
                                                              File size:707584 bytes
                                                              MD5 hash:56E4A7420F9A9FA987ABA56B6F91FBCB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.409181519.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.409181519.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.408520132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.408520132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.627732273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.627732273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                              Reputation:low

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:16.1%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:2.9%
                                                                Total number of Nodes:208
                                                                Total number of Limit Nodes:14
                                                                execution_graph 14181 b81628 14182 b81670 CheckRemoteDebuggerPresent 14181->14182 14183 b816d6 14182->14183 14232 b8a8d8 14233 b8a8ef 14232->14233 14238 b8a9b8 14233->14238 14234 b8a92c 14235 b8a900 14235->14234 14242 b8a470 14235->14242 14239 b8a9da 14238->14239 14240 b8a9e5 14239->14240 14246 b8aab0 14239->14246 14240->14235 14243 b8a47b 14242->14243 14263 b8bd3c 14243->14263 14245 b8d42b 14245->14235 14247 b8aad5 14246->14247 14251 b8abb0 14247->14251 14255 b8aba0 14247->14255 14253 b8abd7 14251->14253 14252 b8acb4 14253->14252 14259 b8a7ec 14253->14259 14256 b8abaa 14255->14256 14257 b8a7ec CreateActCtxA 14256->14257 14258 b8acb4 14256->14258 14257->14258 14260 b8c068 CreateActCtxA 14259->14260 14262 b8c16e 14260->14262 14264 b8bd47 14263->14264 14267 b8bd5c 14264->14267 14266 b8d69d 14266->14245 14268 b8bd67 14267->14268 14271 b8bd8c 14268->14271 14270 b8d77a 14270->14266 14272 b8bd97 14271->14272 14273 b8bdbc 4 API calls 14272->14273 14274 b8d86a 14273->14274 14274->14270 14277 b81748 14278 b81795 VirtualProtect 14277->14278 14279 b81801 14278->14279 14280 afd01c 14281 afd034 14280->14281 14282 afd08e 14281->14282 14287 4bc650c 14281->14287 14297 4bc7302 14281->14297 14301 4bc7310 14281->14301 14305 4bc80c8 14281->14305 14288 4bc6517 14287->14288 14289 4bc8139 14288->14289 14291 4bc8129 14288->14291 14340 4bc6634 14289->14340 14316 4bc832c 14291->14316 14322 4bc8250 14291->14322 14327 4bc8260 14291->14327 14332 4bc830a 14291->14332 14292 4bc8137 14292->14292 14298 4bc7310 14297->14298 14299 4bc650c CallWindowProcW 14298->14299 14300 4bc7357 14299->14300 14300->14282 14302 4bc7336 14301->14302 14303 4bc650c CallWindowProcW 14302->14303 14304 4bc7357 14303->14304 14304->14282 14306 4bc80cf 14305->14306 14308 4bc8085 14305->14308 14307 4bc8139 14306->14307 14306->14308 14310 4bc8129 14306->14310 14309 4bc6634 CallWindowProcW 14307->14309 14308->14282 14311 4bc8137 14309->14311 14312 4bc832c CallWindowProcW 14310->14312 14313 4bc830a CallWindowProcW 14310->14313 14314 4bc8260 CallWindowProcW 14310->14314 14315 4bc8250 CallWindowProcW 14310->14315 14311->14311 14312->14311 14313->14311 14314->14311 14315->14311 14317 4bc82ea 14316->14317 14318 4bc833a 14316->14318 14321 4bc830a CallWindowProcW 14317->14321 14344 4bc8318 14317->14344 14319 4bc8300 14319->14292 14321->14319 14323 4bc8260 14322->14323 14325 4bc8318 CallWindowProcW 14323->14325 14326 4bc830a CallWindowProcW 14323->14326 14324 4bc8300 14324->14292 14325->14324 14326->14324 14329 4bc8274 14327->14329 14328 4bc8300 14328->14292 14330 4bc8318 CallWindowProcW 14329->14330 14331 4bc830a CallWindowProcW 14329->14331 14330->14328 14331->14328 14333 4bc8313 14332->14333 14334 4bc82c9 14332->14334 14336 4bc97be CallWindowProcW 14333->14336 14337 4bc8329 14333->14337 14338 4bc8318 CallWindowProcW 14334->14338 14339 4bc830a CallWindowProcW 14334->14339 14335 4bc8300 14335->14292 14336->14337 14337->14292 14338->14335 14339->14335 14341 4bc663f 14340->14341 14342 4bc9829 14341->14342 14343 4bc987a CallWindowProcW 14341->14343 14342->14292 14343->14342 14345 4bc8329 14344->14345 14347 4bc97be 14344->14347 14345->14319 14348 4bc6634 CallWindowProcW 14347->14348 14349 4bc97ca 14348->14349 14349->14345 14093 4bc7078 14094 4bc7110 CreateWindowExW 14093->14094 14096 4bc724e 14094->14096 14096->14096 14184 4bc28a8 GetCurrentProcess 14185 4bc291b 14184->14185 14186 4bc2922 GetCurrentThread 14184->14186 14185->14186 14187 4bc295f GetCurrentProcess 14186->14187 14188 4bc2958 14186->14188 14189 4bc2995 14187->14189 14188->14187 14190 4bc29bd GetCurrentThreadId 14189->14190 14191 4bc29ee 14190->14191 14192 4bc30e8 14194 4bc3110 14192->14194 14193 4bc3138 14194->14193 14196 4bc22fc 14194->14196 14197 4bc2307 14196->14197 14200 4bc4f28 14197->14200 14198 4bc31e0 14198->14193 14201 4bc4f59 14200->14201 14203 4bc4fa5 14200->14203 14202 4bc4f65 14201->14202 14206 4bc5428 14201->14206 14209 4bc5418 14201->14209 14202->14198 14203->14198 14207 4bc0468 4 API calls 14206->14207 14208 4bc5431 14207->14208 14208->14203 14210 4bc0468 4 API calls 14209->14210 14211 4bc5431 14209->14211 14210->14211 14211->14203 14097 4bccab9 14100 4bcf1a3 14097->14100 14103 4bceb5c 14100->14103 14102 4bccacb 14104 4bceb67 14103->14104 14105 4bcf1f2 14104->14105 14107 b8bdbc 14104->14107 14105->14102 14109 b8bdc7 14107->14109 14108 b8df7e 14108->14105 14109->14108 14114 4bce087 14109->14114 14118 4bc0339 14109->14118 14122 4bce098 14109->14122 14125 4bcef90 14109->14125 14115 4bce098 14114->14115 14128 4bc0468 14115->14128 14117 4bce0a6 14117->14108 14166 4bc035f 14118->14166 14171 4bc0370 14118->14171 14119 4bc034e 14119->14108 14123 4bc0468 4 API calls 14122->14123 14124 4bce0a6 14123->14124 14124->14108 14175 4bceff8 14125->14175 14126 4bcef9e 14126->14108 14134 4bc0468 3 API calls 14128->14134 14139 4bc0458 14128->14139 14150 4bc0648 14128->14150 14129 4bc047b 14130 4bc0493 14129->14130 14154 4bc0738 14129->14154 14158 4bc0728 14129->14158 14130->14117 14131 4bc06ad GetModuleHandleW 14133 4bc06ec 14131->14133 14132 4bc048b 14132->14130 14132->14131 14133->14117 14134->14129 14140 4bc047b 14139->14140 14145 4bc0468 3 API calls 14139->14145 14146 4bc0458 3 API calls 14139->14146 14147 4bc0648 GetModuleHandleW 14139->14147 14142 4bc0493 14140->14142 14148 4bc0738 LoadLibraryExW 14140->14148 14149 4bc0728 LoadLibraryExW 14140->14149 14141 4bc048b 14141->14142 14143 4bc06ad GetModuleHandleW 14141->14143 14142->14129 14144 4bc06ec 14143->14144 14144->14129 14145->14140 14146->14140 14147->14140 14148->14141 14149->14141 14151 4bc06ad GetModuleHandleW 14150->14151 14152 4bc069b 14150->14152 14153 4bc06ec 14151->14153 14152->14151 14153->14129 14156 4bc074c 14154->14156 14155 4bc0771 14155->14132 14156->14155 14162 4bc0958 14156->14162 14160 4bc0738 14158->14160 14159 4bc0771 14159->14132 14160->14159 14161 4bc0958 LoadLibraryExW 14160->14161 14161->14159 14163 4bc09ae 14162->14163 14164 4bc09c0 LoadLibraryExW 14162->14164 14163->14164 14165 4bc0a14 14164->14165 14165->14155 14167 4bc0370 14166->14167 14169 4bc0468 4 API calls 14167->14169 14170 4bc0458 4 API calls 14167->14170 14168 4bc037f 14168->14119 14169->14168 14170->14168 14173 4bc0468 4 API calls 14171->14173 14174 4bc0458 4 API calls 14171->14174 14172 4bc037f 14172->14119 14173->14172 14174->14172 14176 4bc0468 4 API calls 14175->14176 14177 4bcf007 14176->14177 14177->14126 14178 4bcd8b0 14180 b8bdbc 4 API calls 14178->14180 14179 4bcd8c3 14180->14179 14212 4bccee0 14216 4bce718 14212->14216 14220 4bce708 14212->14220 14213 4bccef2 14217 4bce72f 14216->14217 14224 4bcc0dc 14217->14224 14221 4bce72f 14220->14221 14222 4bcc0dc 4 API calls 14221->14222 14223 4bce749 14222->14223 14223->14213 14225 4bcc0e7 14224->14225 14228 4bcc0ec 14225->14228 14227 4bce749 14227->14213 14229 4bcc0f7 14228->14229 14231 b8bdbc 4 API calls 14229->14231 14230 4bcef04 14230->14227 14231->14230 14275 4bc2ad0 DuplicateHandle 14276 4bc2bad 14275->14276

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 106 b81538-b816d4 CheckRemoteDebuggerPresent 108 b816dd-b81736 106->108 109 b816d6-b816dc 106->109 109->108
                                                                APIs
                                                                • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00B816C4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: CheckDebuggerPresentRemote
                                                                • String ID:
                                                                • API String ID: 3662101638-0
                                                                • Opcode ID: eb3b70a616dc4504cc1cc11d0b562d607183451cea6ae6c8eb54ef6e3111d47f
                                                                • Instruction ID: 6522833c7e09a7db5c858186c0910e282145f80592d6ce1e1faaa0efa41a961b
                                                                • Opcode Fuzzy Hash: eb3b70a616dc4504cc1cc11d0b562d607183451cea6ae6c8eb54ef6e3111d47f
                                                                • Instruction Fuzzy Hash: 4E51ADB5D0A2889FCB01CFA8E8546DDBFF1AF1A354F09819EE444B7252E3389949CF51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 162 b81628-b816d4 CheckRemoteDebuggerPresent 164 b816dd-b81736 162->164 165 b816d6-b816dc 162->165 165->164
                                                                APIs
                                                                • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00B816C4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: CheckDebuggerPresentRemote
                                                                • String ID:
                                                                • API String ID: 3662101638-0
                                                                • Opcode ID: 00822f99d577e1115054f33f334f2cd2804a314cc9e4e9ed37ebf5dd6ae3e453
                                                                • Instruction ID: aae8a734e323779f99a988ea4885c61b5465c3731496807edc491ea8ad18b659
                                                                • Opcode Fuzzy Hash: 00822f99d577e1115054f33f334f2cd2804a314cc9e4e9ed37ebf5dd6ae3e453
                                                                • Instruction Fuzzy Hash: 6041DBB9D05258DFCB00CFA9D484AEEFBF4AB09310F14946AE454B7250D778AA89CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 190 b8a470-b8d402 193 b8d409-b8d426 call b8bd3c 190->193 194 b8d404 190->194 196 b8d42b 193->196 194->193 197 b8d432-b8d44e 196->197 198 b8d450 197->198 199 b8d457-b8d458 197->199 198->196 198->199 200 b8d5bc-b8d5c0 call b8bd4c 198->200 201 b8d45d-b8d469 198->201 202 b8d5dd-b8d5e4 198->202 203 b8d4cf-b8d580 198->203 204 b8d5a4-b8d5b7 198->204 199->202 208 b8d5c5-b8d5d8 200->208 206 b8d48a 201->206 207 b8d46b-b8d474 201->207 223 b8d589-b8d59f 203->223 204->197 211 b8d48d-b8d4ca 206->211 209 b8d47b-b8d47e 207->209 210 b8d476-b8d479 207->210 208->197 213 b8d488 209->213 210->213 211->197 213->211 223->197
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Au|;
                                                                • API String ID: 0-1649906977
                                                                • Opcode ID: 4f20df4e010cb91798068a54e8d45f7794cdf08b3c515e2d6c0b5799eee3c7a4
                                                                • Instruction ID: abd32f8067dec50b840507459acf1ae3b78462da63ee041f3175d0ed4b073f00
                                                                • Opcode Fuzzy Hash: 4f20df4e010cb91798068a54e8d45f7794cdf08b3c515e2d6c0b5799eee3c7a4
                                                                • Instruction Fuzzy Hash: 70510875E052189BDB08DFA5D5849AEBBF2FF88300F24856AD415A73A4DB34AD02CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 224 b80472-b804a0 225 b804a2 224->225 226 b804a7-b8053f 224->226 225->226 230 b80545-b80577 226->230 232 b80579-b805ab 230->232 233 b805ad-b805bb 230->233 234 b805be-b80651 232->234 233->234 239 b8065a-b8152b 234->239 240 b80653 234->240 240->239
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: <
                                                                • API String ID: 0-4251816714
                                                                • Opcode ID: f217b9971d6ae77dd1abcb6e373a6f1975eed251aaf0106f6e4119a26e29965b
                                                                • Instruction ID: f1b7fd5cb4ec022e010607e058bea4dbd3a6f726a65c467073be779e86dd89ef
                                                                • Opcode Fuzzy Hash: f217b9971d6ae77dd1abcb6e373a6f1975eed251aaf0106f6e4119a26e29965b
                                                                • Instruction Fuzzy Hash: 4961B771E04658CFDB58CFAAC9406DDFBF2AF89304F14C1AAD519AB225EB305A85CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8fab7b193b2ab246b7e455745dd9e1d879fcdb8eb46de0679b648e78afba29eb
                                                                • Instruction ID: 2fca84f557d0a22b0f59872c9db664ff750c8ddd90c36fee66b33e953c771859
                                                                • Opcode Fuzzy Hash: 8fab7b193b2ab246b7e455745dd9e1d879fcdb8eb46de0679b648e78afba29eb
                                                                • Instruction Fuzzy Hash: DDB145B5E052488FCB08CFA9D8945EDBBF2EF89304F24816AD405BB365E7349946CF25
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7db5e0c5f192ca10d4cfe7b416eeff3e2de8cf7bb1900e5d4cec489b6ba4b4f3
                                                                • Instruction ID: 6bd40ba8c7d6b1d3cfa13486d919c95278e9d41af022d550f72fd327876e0836
                                                                • Opcode Fuzzy Hash: 7db5e0c5f192ca10d4cfe7b416eeff3e2de8cf7bb1900e5d4cec489b6ba4b4f3
                                                                • Instruction Fuzzy Hash: A791C174E042198FDB08CFE9C9849AEBBF2EB88300F24942AD515BB364D7349946CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0f5900184b64231edf532e6db7d0d1d9cc4d1b2f105f1786acae54adebeb3b97
                                                                • Instruction ID: f40c4488debe8e3745db733fabd4f5044bd7903abc52ebe6e918ff8cef31ba0f
                                                                • Opcode Fuzzy Hash: 0f5900184b64231edf532e6db7d0d1d9cc4d1b2f105f1786acae54adebeb3b97
                                                                • Instruction Fuzzy Hash: E961F474E0520A9FCB04DF99D484AAEFBF2FB88710F1481AAD515B7324D7749A42CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 90714cf8e089000e1b64ef98bf4021ee1a6f011126cb613ce3800ec1bdfd2c22
                                                                • Instruction ID: db101edddb676c5a7e3fe71c66fce388c5c754f281e3ffd5bf6ed6ca2fe098cc
                                                                • Opcode Fuzzy Hash: 90714cf8e089000e1b64ef98bf4021ee1a6f011126cb613ce3800ec1bdfd2c22
                                                                • Instruction Fuzzy Hash: 45511674E056198FDB08DFAAD8806AEFBF2FF89300F25C16AD419A7260D7345A01CF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5c1baef6d9511594c7f66713b1ac54172e3a98270ca5d2347368057f486dd7f2
                                                                • Instruction ID: d223a7acf719fbacff298ea1543c60930fca210e0e2c5f70b29d1d9fc7d5b8ae
                                                                • Opcode Fuzzy Hash: 5c1baef6d9511594c7f66713b1ac54172e3a98270ca5d2347368057f486dd7f2
                                                                • Instruction Fuzzy Hash: 2521C975E056588BEB58CFABDC5069EFBF7AFC9200F14C1AAD408A6264DB3009468F51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4b62f6e1c35416c63aacb33bff17801746993d299ab9fccdea5a856f402fb84f
                                                                • Instruction ID: 32791b72ff75a9a1c271c5ec3efdaa95765c0a96484b22ef7fc5891345790f09
                                                                • Opcode Fuzzy Hash: 4b62f6e1c35416c63aacb33bff17801746993d299ab9fccdea5a856f402fb84f
                                                                • Instruction Fuzzy Hash: EC211975E056588BDB19CFAAD8502DEFFF3AFC9310F18C1AAD408A7264DB341A59CB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 04BC2908
                                                                • GetCurrentThread.KERNEL32 ref: 04BC2945
                                                                • GetCurrentProcess.KERNEL32 ref: 04BC2982
                                                                • GetCurrentThreadId.KERNEL32 ref: 04BC29DB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: ff817ae2ba388aa8af869634d1228f3e0e151f4b56ad83f84ad9b671ddfe8ad1
                                                                • Instruction ID: 6f61794178358f73530427886db8c98203192a1803305e77fbcdacf5daf56cb7
                                                                • Opcode Fuzzy Hash: ff817ae2ba388aa8af869634d1228f3e0e151f4b56ad83f84ad9b671ddfe8ad1
                                                                • Instruction Fuzzy Hash: 015165B0D006498FDB14CFA9D988B9EBBF1EF48314F2485AAE419A3350D774A944CF76
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 20 4bc0468-4bc0470 70 4bc0476 call 4bc0468 20->70 71 4bc0476 call 4bc0458 20->71 72 4bc0476 call 4bc0648 20->72 21 4bc047b-4bc047d 22 4bc047f 21->22 23 4bc0493-4bc0497 21->23 73 4bc0485 call 4bc0738 22->73 74 4bc0485 call 4bc0728 22->74 24 4bc0499-4bc04a3 23->24 25 4bc04ab-4bc04ec 23->25 24->25 30 4bc04ee-4bc04f6 25->30 31 4bc04f9-4bc0507 25->31 26 4bc048b-4bc048d 26->23 28 4bc05c8-4bc0699 26->28 64 4bc06ad-4bc06ea GetModuleHandleW 28->64 65 4bc069b-4bc06aa 28->65 30->31 33 4bc0509-4bc050e 31->33 34 4bc052b-4bc052d 31->34 35 4bc0519 33->35 36 4bc0510-4bc0517 33->36 37 4bc0530-4bc0537 34->37 39 4bc051b-4bc0529 35->39 36->39 40 4bc0539-4bc0541 37->40 41 4bc0544-4bc054b 37->41 39->37 40->41 43 4bc054d-4bc0555 41->43 44 4bc0558-4bc0561 41->44 43->44 47 4bc056e-4bc0573 44->47 48 4bc0563-4bc056b 44->48 50 4bc0575-4bc057c 47->50 51 4bc0591-4bc059e 47->51 48->47 50->51 52 4bc057e-4bc058e 50->52 57 4bc05a0-4bc05be 51->57 58 4bc05c1-4bc05c7 51->58 52->51 57->58 66 4bc06ec-4bc06f2 64->66 67 4bc06f3-4bc0721 64->67 65->64 66->67 70->21 71->21 72->21 73->26 74->26
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(?), ref: 04BC06DA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: d5a220fd0da947575c451918cc2ab3766c46a04c81d2921f89f5a795d28b6ac5
                                                                • Instruction ID: f844c9125efdb127b645120e2f9b34fe7a65d0cb96ebd339ae603a266249b020
                                                                • Opcode Fuzzy Hash: d5a220fd0da947575c451918cc2ab3766c46a04c81d2921f89f5a795d28b6ac5
                                                                • Instruction Fuzzy Hash: D6910470A00B098FDB24EFA9D08569ABBF1FF49304F00896EE446E7650D774E945CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 75 4bc706e-4bc710e 77 4bc7125-4bc7130 75->77 78 4bc7110-4bc7122 75->78 79 4bc7144-4bc71a4 77->79 80 4bc7132-4bc7141 77->80 78->77 82 4bc71ac-4bc724c CreateWindowExW 79->82 80->79 83 4bc724e-4bc7254 82->83 84 4bc7255-4bc72c0 82->84 83->84 88 4bc72cd 84->88 89 4bc72c2-4bc72c5 84->89 90 4bc72ce 88->90 89->88 90->90
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04BC7239
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: 79dfe57ed913a2bf7906be419b92f93b7286b5abca59b6aeeb3e380f632bc49c
                                                                • Instruction ID: 039867509847df7e9e566ad075c7bb547a1cf028480b131ebb69942d2ba6fcb2
                                                                • Opcode Fuzzy Hash: 79dfe57ed913a2bf7906be419b92f93b7286b5abca59b6aeeb3e380f632bc49c
                                                                • Instruction Fuzzy Hash: 3F717CB4D00218DFDF20CFA9D984BDDBBB1BB0A304F1491AAE408B7211DB70A985CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 91 4bc7078-4bc710e 92 4bc7125-4bc7130 91->92 93 4bc7110-4bc7122 91->93 94 4bc7144-4bc724c CreateWindowExW 92->94 95 4bc7132-4bc7141 92->95 93->92 98 4bc724e-4bc7254 94->98 99 4bc7255-4bc72c0 94->99 95->94 98->99 103 4bc72cd 99->103 104 4bc72c2-4bc72c5 99->104 105 4bc72ce 103->105 104->103 105->105
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04BC7239
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: fe7f5c86af544781ebc993e8f66af979901df2aca6ab076c5262a0c6d22a1513
                                                                • Instruction ID: 06485ed845ba10f27940a0788634f6f14b5295559520cef879a28bc76c8b61ce
                                                                • Opcode Fuzzy Hash: fe7f5c86af544781ebc993e8f66af979901df2aca6ab076c5262a0c6d22a1513
                                                                • Instruction Fuzzy Hash: 22717AB4D00218DFDF20CFA9D984BDDBBB1BB0A304F1491AAE908A7211DB70A985CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 113 b8a7ec-b8c16c CreateActCtxA 118 b8c16e-b8c174 113->118 119 b8c175-b8c1fa 113->119 118->119 128 b8c1fc-b8c21f 119->128 129 b8c227-b8c22f 119->129 128->129
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 00B8C159
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 8397160ffde65243a0ced4dc2df7a899fb24645d546fd0744cae263e573ce6cf
                                                                • Instruction ID: 735ee75fdc3ff0554e9d300a8cdee833c32bed3f44e09367e769eac18780c58c
                                                                • Opcode Fuzzy Hash: 8397160ffde65243a0ced4dc2df7a899fb24645d546fd0744cae263e573ce6cf
                                                                • Instruction Fuzzy Hash: D951F3B1D0422CCFDB21DFA4C884BCEBBB5AF45304F11819AD109BB251DB706A89CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 133 4bc2ad0-4bc2bab DuplicateHandle 134 4bc2bad-4bc2bb3 133->134 135 4bc2bb4-4bc2bf4 133->135 134->135
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04BC2B9B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 76adf678bd29ba46d2bfc8aa3c387ff76d60446fa38660f191a881888745b28f
                                                                • Instruction ID: 7a4af6e0386be639f685132a14a539c956d7fe2242fa8b1997980648c2568b18
                                                                • Opcode Fuzzy Hash: 76adf678bd29ba46d2bfc8aa3c387ff76d60446fa38660f191a881888745b28f
                                                                • Instruction Fuzzy Hash: 614166B9D002589FCF00CFA9D984ADEBBF5BB09310F14906AE918BB310D375A945CF94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 139 b81740-b817ff VirtualProtect 141 b81808-b81844 139->141 142 b81801-b81807 139->142 142->141
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00B817EF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: d1dd806fbcfced5955030a9af7a26567cefbeb36bfbd1c013bc20d6f6a532365
                                                                • Instruction ID: 51983856789e32d5c2198ba2ae9dee7b6291b3b54b8d0f3ab0d19af0ff400239
                                                                • Opcode Fuzzy Hash: d1dd806fbcfced5955030a9af7a26567cefbeb36bfbd1c013bc20d6f6a532365
                                                                • Instruction Fuzzy Hash: DC31A8B9D052589FCF10CFA9E484AEEFBF0AB19310F24902AE814B7210D374A946CF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 145 4bc6634-4bc981c 148 4bc98cc-4bc98ec call 4bc650c 145->148 149 4bc9822-4bc9827 145->149 156 4bc98ef-4bc98fc 148->156 151 4bc9829-4bc9860 149->151 152 4bc987a-4bc98b2 CallWindowProcW 149->152 158 4bc9869-4bc9878 151->158 159 4bc9862-4bc9868 151->159 153 4bc98bb-4bc98ca 152->153 154 4bc98b4-4bc98ba 152->154 153->156 154->153 158->156 159->158
                                                                APIs
                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 04BC98A1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: CallProcWindow
                                                                • String ID:
                                                                • API String ID: 2714655100-0
                                                                • Opcode ID: cc29bebb8f2b496da5fb3a3cf22cb0310a0ec4446b5bb2a91feb163f86f4d6f2
                                                                • Instruction ID: 5af8ddba1d8312405c1323ace387f9dbf667265515203266e7dc92c2816f516c
                                                                • Opcode Fuzzy Hash: cc29bebb8f2b496da5fb3a3cf22cb0310a0ec4446b5bb2a91feb163f86f4d6f2
                                                                • Instruction Fuzzy Hash: 0F415BB5A00209DFDB04CF59C488A9ABBF5FF88354F14859DE519AB320D374E845CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 175 4bc0958-4bc09ac 176 4bc09ae-4bc09bd 175->176 177 4bc09c0-4bc0a12 LoadLibraryExW 175->177 176->177 178 4bc0a1b-4bc0a59 177->178 179 4bc0a14-4bc0a1a 177->179 179->178
                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(?,?,?), ref: 04BC0A02
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 00d8749b8e949716e7810bfb56a1805e5e71462bd63d110c6eeff9cf9e5fc16b
                                                                • Instruction ID: d2fcc1a37f3d175403c2d2157dfddc2f3c045e0b4e8253fc530c41feb6b80390
                                                                • Opcode Fuzzy Hash: 00d8749b8e949716e7810bfb56a1805e5e71462bd63d110c6eeff9cf9e5fc16b
                                                                • Instruction Fuzzy Hash: 993176B4D00258DFCF10CFA9D484A9EFBF5BB49314F14906AE918B7220D374A946CF95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 169 b81748-b817ff VirtualProtect 171 b81808-b81844 169->171 172 b81801-b81807 169->172 172->171
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00B817EF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: a2fb1db1a0f0d69a16fa153da35a7031421ae3d1bf6ea9e31519f23cf3f3cd3f
                                                                • Instruction ID: 714e1c97480391ef9e3c22d57be79d4de4cb8a889a45a10979a926cc807d76c5
                                                                • Opcode Fuzzy Hash: a2fb1db1a0f0d69a16fa153da35a7031421ae3d1bf6ea9e31519f23cf3f3cd3f
                                                                • Instruction Fuzzy Hash: 193198B9D052589FCF10CFA9E484ADEFBF4BB09310F24942AE814B7210D774A945CFA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 183 4bc0648-4bc0699 184 4bc06ad-4bc06ea GetModuleHandleW 183->184 185 4bc069b-4bc06aa 183->185 186 4bc06ec-4bc06f2 184->186 187 4bc06f3-4bc0721 184->187 185->184 186->187
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(?), ref: 04BC06DA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 0f94312b96cb29c8feae55e3457712cf6e2151b3a90792b4adbbbcd1443e24c2
                                                                • Instruction ID: f4d781fa733ce44df7692f9ff43160dfcd8630e0404375923fb064c4dce867e7
                                                                • Opcode Fuzzy Hash: 0f94312b96cb29c8feae55e3457712cf6e2151b3a90792b4adbbbcd1443e24c2
                                                                • Instruction Fuzzy Hash: 5D3186B4D00259DFCB14CFAAD484ADEFBF5AB89314F14906AE818B7320D374A945CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412825189.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_aed000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 36265ede1a80995e63d355b08eb07e49e9e9287f34ea48fbdf73f3322dc3dad0
                                                                • Instruction ID: 61419f9b174d08c58afb59ba0cac350c38c9e4dfdd04e221d3022863ca97c59a
                                                                • Opcode Fuzzy Hash: 36265ede1a80995e63d355b08eb07e49e9e9287f34ea48fbdf73f3322dc3dad0
                                                                • Instruction Fuzzy Hash: E32107B2504284EFDB05DF14D9C0B26BF75FB98328F24C569E9054B246C336D856CBB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412825189.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_aed000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ab81805c31b957a4b845e0dac1dd05d28067a969c31f66ac58bf8419ac81281c
                                                                • Instruction ID: cc85538bcee777f109b6ad79bcf5c2f363593baf01ae0adbb42344aebc416379
                                                                • Opcode Fuzzy Hash: ab81805c31b957a4b845e0dac1dd05d28067a969c31f66ac58bf8419ac81281c
                                                                • Instruction Fuzzy Hash: 48213AB5504284EFDB01DF14D9C0B26BB75FBA4324F24C569E9054F286C336E846C7A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412847115.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_afd000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 00d8e24ee9bc0601fe7806409e19a7e4e26352a5e22135cba21a4ea76f1edc9c
                                                                • Instruction ID: 0dca340ed0d211392d20cd0f84fdfd1eba2fe3340d8b210cf7967d9b313678b0
                                                                • Opcode Fuzzy Hash: 00d8e24ee9bc0601fe7806409e19a7e4e26352a5e22135cba21a4ea76f1edc9c
                                                                • Instruction Fuzzy Hash: F1216771504248EFCB12DF50D4C0B36BB66FB84314F24C969FA0A4B246CB36D807CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412847115.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_afd000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bdb311af465f9c83c4bf80b7c0efb8fe4e0baccadbb1d19f3efb2d6fe03f6cf4
                                                                • Instruction ID: 55690a6a4aa1c83b4b7689d14df8b7d0bf238d6901694010cc8fa684b782a844
                                                                • Opcode Fuzzy Hash: bdb311af465f9c83c4bf80b7c0efb8fe4e0baccadbb1d19f3efb2d6fe03f6cf4
                                                                • Instruction Fuzzy Hash: 1F2137B1504248EFDB02DF90D5C0B76BB66FB84314F24CA6DFA094B242C736D846CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412847115.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_afd000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c9c797e88e2dc39c0c63d58ba9cd73b799f2022b8e60367396f1a81fe2a59fd7
                                                                • Instruction ID: 67bc0fda4287c3f1e8122ed0f1842fd81eb58e3a53d076c9e2c310798482f56f
                                                                • Opcode Fuzzy Hash: c9c797e88e2dc39c0c63d58ba9cd73b799f2022b8e60367396f1a81fe2a59fd7
                                                                • Instruction Fuzzy Hash: AA2192755093C49FCB03CF20D994715BF72EB46314F28C5EAD8498B657C33A984ACB62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412825189.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_aed000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ec9bdf24f405aba6276b80bf4ca1a659a27303f531368fe8c9d5df908b5014d7
                                                                • Instruction ID: 2fb87727c0b6453965760829f2519bd732231a6f3ed616444fe1e80e023bf48c
                                                                • Opcode Fuzzy Hash: ec9bdf24f405aba6276b80bf4ca1a659a27303f531368fe8c9d5df908b5014d7
                                                                • Instruction Fuzzy Hash: B011E676804280DFCF11CF10D9C4B16BF71FB84324F28C6A9D8450B616C336D85ACBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412825189.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_aed000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ec9bdf24f405aba6276b80bf4ca1a659a27303f531368fe8c9d5df908b5014d7
                                                                • Instruction ID: 81bb98a9406d8d5fc99c130c205ccc590d916a34d483bd5a78a2278bc1bd6f67
                                                                • Opcode Fuzzy Hash: ec9bdf24f405aba6276b80bf4ca1a659a27303f531368fe8c9d5df908b5014d7
                                                                • Instruction Fuzzy Hash: 8411E676404280DFDF11CF10D5C4B16BF71FB94324F28C6A9D8090B656C33AE85ACBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412847115.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_afd000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f4de84cebcaf6e389506bac581f8d48d6e5c58bb6479c6da20064986341889bc
                                                                • Instruction ID: a108bac71482e0d9c6b373a286364703e2365bb986fe968e523e56500014a8d0
                                                                • Opcode Fuzzy Hash: f4de84cebcaf6e389506bac581f8d48d6e5c58bb6479c6da20064986341889bc
                                                                • Instruction Fuzzy Hash: DB11D075904284DFCB02CF50D5C4B65FB72FB84314F28C6AEE9494B656C33AD84ACBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412825189.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_aed000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 511cc5b75fa407a1bbd2ac036ce158603802aefdda18691678f43d82d89db9dc
                                                                • Instruction ID: 6427ca2f9a54572c0b20740e34568ed46b1efd9915b07364552d04be671e85b5
                                                                • Opcode Fuzzy Hash: 511cc5b75fa407a1bbd2ac036ce158603802aefdda18691678f43d82d89db9dc
                                                                • Instruction Fuzzy Hash: 7C01F2714083D89AE7108B26CC84B66BBA8EF41378F18855AEE095B246D3789C44CBB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412825189.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_aed000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cfa2544f365b4e42a2e67585bb1490bef88e2b5dfe875e9b66c9c6a996b364a1
                                                                • Instruction ID: ca1f8e7e6810b066b543ba9f493883f319b1213450b518815d08dbf9333f2aa9
                                                                • Opcode Fuzzy Hash: cfa2544f365b4e42a2e67585bb1490bef88e2b5dfe875e9b66c9c6a996b364a1
                                                                • Instruction Fuzzy Hash: E3F06D71404284AAEB108F16CCC8B62FBA8EB81774F18C55AED085B286C379A844CAB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Du$Du$|FIK
                                                                • API String ID: 0-511696956
                                                                • Opcode ID: a75739bee1734d2b75856dee11f9469373ac5ba33ee718de1e533f2c6e2995df
                                                                • Instruction ID: 219cd95d9f3f9e8474e13ea16fc54a640d43e2197dc155e5fbabf1958845cd10
                                                                • Opcode Fuzzy Hash: a75739bee1734d2b75856dee11f9469373ac5ba33ee718de1e533f2c6e2995df
                                                                • Instruction Fuzzy Hash: B371BF74E05609CFCB08DFA9C5815EEFBF2EF89314F24956AD415B7228E334AA41CB64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 2hbA$^Kj$^Kj
                                                                • API String ID: 0-2182889015
                                                                • Opcode ID: 1529ff6fcd46363f4f24b2de43d4ab8881049bfa2da9f1559c56e1598ba41b00
                                                                • Instruction ID: d6efde54598085aa22e684c80265f65ccd89409366037a7bc84b553bdf0f60d0
                                                                • Opcode Fuzzy Hash: 1529ff6fcd46363f4f24b2de43d4ab8881049bfa2da9f1559c56e1598ba41b00
                                                                • Instruction Fuzzy Hash: A4510BB0E0560ADFCB48DFA5C5815AEFBF2EF88300F24D4AAC505B7224D7349A41DB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 2hbA$^Kj$^Kj
                                                                • API String ID: 0-2182889015
                                                                • Opcode ID: ed648f88edece64b7fe6ae2858f61ca409dbcad9fb2543dd2038710806c5b716
                                                                • Instruction ID: 3b26d73b7ac1b94e2d74aace73657895ea0b1e8bfe0f49117eacd782bcccfb82
                                                                • Opcode Fuzzy Hash: ed648f88edece64b7fe6ae2858f61ca409dbcad9fb2543dd2038710806c5b716
                                                                • Instruction Fuzzy Hash: 8951D6B0E0560ADBCB48DFA5C5815AEFBF2FB88300F24D4AAC519B7224D7349A41DB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: {m${m
                                                                • API String ID: 0-464447877
                                                                • Opcode ID: 9f485f768473ad5d5286764c8232bdcff593c03429a19398ce25f589ed0a835f
                                                                • Instruction ID: f63f3ac1762fa66d85b73a3501e8f54a79cbab328654b7e8829e2af77ba017cf
                                                                • Opcode Fuzzy Hash: 9f485f768473ad5d5286764c8232bdcff593c03429a19398ce25f589ed0a835f
                                                                • Instruction Fuzzy Hash: 4F71DD74A14219CFCB14CFA9C5849AEFBF1FF88310F2485A9E419AB221D734AE46CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Du$|FIK
                                                                • API String ID: 0-3377452354
                                                                • Opcode ID: 5ed0aee16d335c4db8774cc2b95ec07f8beb6a3eada876360940ff64edd769c9
                                                                • Instruction ID: fb19c912570337479195d58837e73212951df3ce4ea2699e114e447b0d34f199
                                                                • Opcode Fuzzy Hash: 5ed0aee16d335c4db8774cc2b95ec07f8beb6a3eada876360940ff64edd769c9
                                                                • Instruction Fuzzy Hash: 2261D274E05649CFCB08CFA9C5815EEFBF2EF89314F24956AD415B7228E3349A42CB64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 6<0$6<0
                                                                • API String ID: 0-3900597760
                                                                • Opcode ID: 6dd3f63d91a0b44fd2589a395f4a3e121f1a3d3a50f386ae00272f04f6d867a9
                                                                • Instruction ID: c78b0577f58d7fec7ead33d3f9f41f3bfbf940d462bd247d77be39807f8e9afa
                                                                • Opcode Fuzzy Hash: 6dd3f63d91a0b44fd2589a395f4a3e121f1a3d3a50f386ae00272f04f6d867a9
                                                                • Instruction Fuzzy Hash: 7271F0B4D0460A9FCB14DF99D5859AEFBF1FF48310F24856AD815AB324D330AA82CF95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: {m
                                                                • API String ID: 0-3745786961
                                                                • Opcode ID: a2c5fdf370ba05a948331c7035dbb6bb691cdb2e0b414ff43c589b9379017537
                                                                • Instruction ID: 4ea07c3e3965d8d83f17d3ccc9ca2fb5ee4fdfef510b28423f6ba08bc006d9a1
                                                                • Opcode Fuzzy Hash: a2c5fdf370ba05a948331c7035dbb6bb691cdb2e0b414ff43c589b9379017537
                                                                • Instruction Fuzzy Hash: A871E274A14219CFCB54CFA9C58499EFBF1FF88310B2485AAE409AB321D734AE46CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.412960841.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b80000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 6<0
                                                                • API String ID: 0-1586745607
                                                                • Opcode ID: a169e7f16613c49ffcbf77c453896f5b3219e9ff2a9872abd77baff80de5a26f
                                                                • Instruction ID: 631e149dfc42c8ebb87145ce8c11c7b7001241b411d7e34c49d19420d43955e9
                                                                • Opcode Fuzzy Hash: a169e7f16613c49ffcbf77c453896f5b3219e9ff2a9872abd77baff80de5a26f
                                                                • Instruction Fuzzy Hash: 3661F5B4D0464A8FCB14DFA9C5859AEFBF1FF49310F2485A6D415AB324D3309982CF95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 28902275b339f8fe9c7ae172eb52eb6bea15be359030630fb7591f0230fa31b7
                                                                • Instruction ID: 138601ef17c93293af01b6f728cae9a60b4a24c70df723012f8f71a2d221f8b1
                                                                • Opcode Fuzzy Hash: 28902275b339f8fe9c7ae172eb52eb6bea15be359030630fb7591f0230fa31b7
                                                                • Instruction Fuzzy Hash: CC12A4F9412F46ABD330CF65E9981893BA1F7C5328B90420AD3611BAD1D7BC194BCF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15ee1ca802249a90c9fdabd5a425616d98815aed0037c497c86774b0f2c6323a
                                                                • Instruction ID: c0799ab43df18909eeb6ca04d38996121c1085c26b2399585d9b68c973350555
                                                                • Opcode Fuzzy Hash: 15ee1ca802249a90c9fdabd5a425616d98815aed0037c497c86774b0f2c6323a
                                                                • Instruction Fuzzy Hash: 35A16E32E002198FDF15DFA5C8845DEBBF6FF85304B1581AAE905AB221EB35EA05CB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f7c4633e36a22703396188f9d2854944da473a88ad8537685f620bf5155eddfd
                                                                • Instruction ID: 7ea215bed0def6b771c9a03cc5c6be431ed5f606fd0646596d3b2e7f67a7df7c
                                                                • Opcode Fuzzy Hash: f7c4633e36a22703396188f9d2854944da473a88ad8537685f620bf5155eddfd
                                                                • Instruction Fuzzy Hash: 21C109B9812F46ABD720CF65E8881897B71FBC5328F51421AD3612B6D0D7BC188BCF64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.418279704.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4bc0000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 121042f65ae193580135f526467e3e3ea37049909dcd234c4ef12bac055e0f38
                                                                • Instruction ID: 1d6645c8a9769e8eb90ed380afa3cc318381ab76315bed5b25a813ab93afb795
                                                                • Opcode Fuzzy Hash: 121042f65ae193580135f526467e3e3ea37049909dcd234c4ef12bac055e0f38
                                                                • Instruction Fuzzy Hash: 053188B5D012589FCB10CFA9E984A9EFBF1EB49314F14906AE818B7310D774A945CFA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Execution Graph

                                                                Execution Coverage:10.5%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:86
                                                                Total number of Limit Nodes:5
                                                                execution_graph 13958 1396b68 DuplicateHandle 13959 1396bfe 13958->13959 13864 139b990 13865 139b9a4 13864->13865 13868 139bbda 13865->13868 13874 139bcc0 13868->13874 13879 139bcb0 13868->13879 13884 139bdbc 13868->13884 13889 139bdd6 13868->13889 13875 139bd04 13874->13875 13876 139bdfb 13875->13876 13894 139c109 13875->13894 13902 139c0b8 13875->13902 13880 139bcc0 13879->13880 13881 139bdfb 13880->13881 13882 139c109 2 API calls 13880->13882 13883 139c0b8 2 API calls 13880->13883 13882->13881 13883->13881 13885 139bd6f 13884->13885 13885->13884 13886 139bdfb 13885->13886 13887 139c109 2 API calls 13885->13887 13888 139c0b8 2 API calls 13885->13888 13887->13886 13888->13886 13890 139bde9 13889->13890 13891 139bdfb 13889->13891 13892 139c109 2 API calls 13890->13892 13893 139c0b8 2 API calls 13890->13893 13892->13891 13893->13891 13895 139c112 13894->13895 13896 139c0b2 13894->13896 13898 139c17c RtlEncodePointer 13895->13898 13899 139c1a5 13895->13899 13900 139c109 RtlEncodePointer 13896->13900 13907 139c118 13896->13907 13897 139c0e6 13897->13876 13898->13899 13899->13876 13900->13897 13903 139c0d6 13902->13903 13905 139c109 2 API calls 13903->13905 13906 139c118 RtlEncodePointer 13903->13906 13904 139c0e6 13904->13876 13905->13904 13906->13904 13908 139c152 13907->13908 13909 139c17c RtlEncodePointer 13908->13909 13910 139c1a5 13908->13910 13909->13910 13910->13897 13911 1395090 13912 13950f8 CreateWindowExW 13911->13912 13914 13951b4 13912->13914 13960 1396940 GetCurrentProcess 13961 13969ba GetCurrentThread 13960->13961 13962 13969b3 13960->13962 13963 13969f0 13961->13963 13964 13969f7 GetCurrentProcess 13961->13964 13962->13961 13963->13964 13967 1396a2d 13964->13967 13965 1396a55 GetCurrentThreadId 13966 1396a86 13965->13966 13967->13965 13915 110d01c 13916 110d034 13915->13916 13917 110d08e 13916->13917 13922 1397b8f 13916->13922 13930 139359c 13916->13930 13938 1395248 13916->13938 13942 1395241 13916->13942 13926 1397bbd 13922->13926 13923 1397bf1 13954 139779c 13923->13954 13925 1397bef 13926->13923 13927 1397be1 13926->13927 13946 1397d18 13927->13946 13950 1397d08 13927->13950 13931 13935a7 13930->13931 13932 1397bf1 13931->13932 13934 1397be1 13931->13934 13933 139779c CallWindowProcW 13932->13933 13935 1397bef 13933->13935 13936 1397d18 CallWindowProcW 13934->13936 13937 1397d08 CallWindowProcW 13934->13937 13936->13935 13937->13935 13939 139526e 13938->13939 13940 139359c CallWindowProcW 13939->13940 13941 139528f 13940->13941 13941->13917 13943 139526e 13942->13943 13944 139359c CallWindowProcW 13943->13944 13945 139528f 13944->13945 13945->13917 13948 1397d26 13946->13948 13947 139779c CallWindowProcW 13947->13948 13948->13947 13949 1397e13 13948->13949 13949->13925 13952 1397d26 13950->13952 13951 139779c CallWindowProcW 13951->13952 13952->13951 13953 1397e13 13952->13953 13953->13925 13955 13977a7 13954->13955 13956 1397ee2 CallWindowProcW 13955->13956 13957 1397e91 13955->13957 13956->13957 13957->13925

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 013969A0
                                                                • GetCurrentThread.KERNEL32 ref: 013969DD
                                                                • GetCurrentProcess.KERNEL32 ref: 01396A1A
                                                                • GetCurrentThreadId.KERNEL32 ref: 01396A73
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628897498.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_1390000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 9615a8a0c0f5e29b82ce772d43ed6a493b7da01113f616268e204eb1d71be5b5
                                                                • Instruction ID: fd2964fade5cd7d0a3ad522b58e963c1858cfc474c61e9723ab6e7b192888574
                                                                • Opcode Fuzzy Hash: 9615a8a0c0f5e29b82ce772d43ed6a493b7da01113f616268e204eb1d71be5b5
                                                                • Instruction Fuzzy Hash: 425199B0D012888FDB14CFA9C989BDEBFF1EF49318F14859AE549A7250D7745848CF21
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 013969A0
                                                                • GetCurrentThread.KERNEL32 ref: 013969DD
                                                                • GetCurrentProcess.KERNEL32 ref: 01396A1A
                                                                • GetCurrentThreadId.KERNEL32 ref: 01396A73
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628897498.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_1390000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: cb5cc221f5db9e624f227c7d17fe412414a972b8fef5411bc6e0b0b470daedb5
                                                                • Instruction ID: 435ca65da01445b501c509aaab7785205b136ae69f07ecbd58cdb093731c3cc6
                                                                • Opcode Fuzzy Hash: cb5cc221f5db9e624f227c7d17fe412414a972b8fef5411bc6e0b0b470daedb5
                                                                • Instruction Fuzzy Hash: 3E5164B0D012499FDB14CFAAC989BDEBBF1EF88318F24855AE509A7350D7745884CF62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 40 1395084-13950f6 42 13950f8-13950fe 40->42 43 1395101-1395108 40->43 42->43 44 139510a-1395110 43->44 45 1395113-139514b 43->45 44->45 46 1395153-13951b2 CreateWindowExW 45->46 47 13951bb-13951f3 46->47 48 13951b4-13951ba 46->48 52 1395200 47->52 53 13951f5-13951f8 47->53 48->47 54 1395201 52->54 53->52 54->54
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013951A2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628897498.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_1390000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: 7d1bf6babf9d2612b56701b9e96335580bee0e3aaad670f4c4e1e976d65f0352
                                                                • Instruction ID: 73d281a17ef952b2602089bb83bde2d83e94a930959884a3bf74e2d8870aa053
                                                                • Opcode Fuzzy Hash: 7d1bf6babf9d2612b56701b9e96335580bee0e3aaad670f4c4e1e976d65f0352
                                                                • Instruction Fuzzy Hash: 7A51E2B1D103589FDF15CF99C884ADEBBB5FF48314F24812AE819AB210D7749985CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 55 1395090-13950f6 56 13950f8-13950fe 55->56 57 1395101-1395108 55->57 56->57 58 139510a-1395110 57->58 59 1395113-13951b2 CreateWindowExW 57->59 58->59 61 13951bb-13951f3 59->61 62 13951b4-13951ba 59->62 66 1395200 61->66 67 13951f5-13951f8 61->67 62->61 68 1395201 66->68 67->66 68->68
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013951A2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628897498.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_1390000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: 2398dab2100ba0ab139abc6a029fa73ffbe86707c1e7fbcf61ad6c67042a95ad
                                                                • Instruction ID: 5bdee14257c14dd2069df8251f77f786fcfb23e0ca3a4d313b4d4efa98993a57
                                                                • Opcode Fuzzy Hash: 2398dab2100ba0ab139abc6a029fa73ffbe86707c1e7fbcf61ad6c67042a95ad
                                                                • Instruction Fuzzy Hash: AA41E0B1D103489FDF15CF99C884ADEBBB5BF48314F24812AE819AB210D774A985CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 69 139779c-1397e84 72 1397e8a-1397e8f 69->72 73 1397f34-1397f54 call 139359c 69->73 75 1397e91-1397ec8 72->75 76 1397ee2-1397f1a CallWindowProcW 72->76 80 1397f57-1397f64 73->80 83 1397eca-1397ed0 75->83 84 1397ed1-1397ee0 75->84 77 1397f1c-1397f22 76->77 78 1397f23-1397f32 76->78 77->78 78->80 83->84 84->80
                                                                APIs
                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 01397F09
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628897498.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_1390000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: CallProcWindow
                                                                • String ID:
                                                                • API String ID: 2714655100-0
                                                                • Opcode ID: a0d4d4994c061cbdeef9fb2d63ce012d778947bad430fbf7e016b97aefa10ee8
                                                                • Instruction ID: 8783c8a25371579b0203c748b0806f46624770b6dd446e5a82fa51b8c231c4ba
                                                                • Opcode Fuzzy Hash: a0d4d4994c061cbdeef9fb2d63ce012d778947bad430fbf7e016b97aefa10ee8
                                                                • Instruction Fuzzy Hash: 1E416EB4A10309CFCB15CF59C488BAABBF5FF88318F248849E519A7351D374A845CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 86 139c109-139c110 87 139c0b2-139c0d6 call 139bc88 86->87 88 139c112-139c15a 86->88 107 139c0e0 call 139c109 87->107 108 139c0e0 call 139c118 87->108 96 139c15c-139c15e 88->96 97 139c160 88->97 94 139c0e6-139c105 call 139bed8 99 139c165-139c170 96->99 97->99 101 139c1d1-139c1de 99->101 102 139c172-139c1a3 RtlEncodePointer 99->102 104 139c1ac-139c1cc 102->104 105 139c1a5-139c1ab 102->105 104->101 105->104 107->94 108->94
                                                                APIs
                                                                • RtlEncodePointer.NTDLL(00000000), ref: 0139C192
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628897498.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_1390000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: EncodePointer
                                                                • String ID:
                                                                • API String ID: 2118026453-0
                                                                • Opcode ID: 92946ea0760dca1a83fba181aa8f80d99a657245d25774fe1cbf5fc75dad4773
                                                                • Instruction ID: 13a572d9cd2e9748d41a69dc23c85f9147db191407d04ed4ea6ceb1939eba3f8
                                                                • Opcode Fuzzy Hash: 92946ea0760dca1a83fba181aa8f80d99a657245d25774fe1cbf5fc75dad4773
                                                                • Instruction Fuzzy Hash: FC3100B18053898FDB10EF69E80839EBFF8EB05318F14855AE449A3242C7786505CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 109 1396b61-1396bfc DuplicateHandle 110 1396bfe-1396c04 109->110 111 1396c05-1396c22 109->111 110->111
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01396BEF
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628897498.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_1390000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: ebab11a5995d622bc3d06505ffb9c8e99003b983b562e8b70881962086c64fbd
                                                                • Instruction ID: 4160d5602bb7fe8ee41710e41fe44214cbdfd8909ce3a791b6a92da246b6b908
                                                                • Opcode Fuzzy Hash: ebab11a5995d622bc3d06505ffb9c8e99003b983b562e8b70881962086c64fbd
                                                                • Instruction Fuzzy Hash: 0E2100B5D00258AFDF10CFA9D585AEEBBF4EB48324F14842AE914A3210D378A954CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 114 1396b68-1396bfc DuplicateHandle 115 1396bfe-1396c04 114->115 116 1396c05-1396c22 114->116 115->116
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01396BEF
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628897498.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_1390000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: f366a13c383334048e47b1138b0d51279abb114652d833e2b6c391c7bd1e8195
                                                                • Instruction ID: 7c0ff3d5779599c9f5dcc6b248ba127c73cbf7385e5e157b7d972f72ce012cc0
                                                                • Opcode Fuzzy Hash: f366a13c383334048e47b1138b0d51279abb114652d833e2b6c391c7bd1e8195
                                                                • Instruction Fuzzy Hash: 7C21C4B5D01258AFDF10CF99D585ADEBBF9EB48324F14841AE914A3310D774A944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 119 139c118-139c15a 122 139c15c-139c15e 119->122 123 139c160 119->123 124 139c165-139c170 122->124 123->124 125 139c1d1-139c1de 124->125 126 139c172-139c1a3 RtlEncodePointer 124->126 128 139c1ac-139c1cc 126->128 129 139c1a5-139c1ab 126->129 128->125 129->128
                                                                APIs
                                                                • RtlEncodePointer.NTDLL(00000000), ref: 0139C192
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628897498.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_1390000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID: EncodePointer
                                                                • String ID:
                                                                • API String ID: 2118026453-0
                                                                • Opcode ID: 3bf4a6384cbb0c76325afcb93a8924a6c9d8685f791517c6e8f1d7b71538121f
                                                                • Instruction ID: 692d31d7c1bc1006f49eca59d6d610f9d5d83daa0e4884ff7a0a59524980094f
                                                                • Opcode Fuzzy Hash: 3bf4a6384cbb0c76325afcb93a8924a6c9d8685f791517c6e8f1d7b71538121f
                                                                • Instruction Fuzzy Hash: B91179F19013498FDF10EFA9C54879EBBF8FB44728F24892AD409A3601D779A644CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628711657.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_10fd000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3a375130dcb085843bca7b4c507283b64974f21f075840b2f9a20906a3516e1d
                                                                • Instruction ID: bb0d1008ab7b7342e662046da0c91eb35e7eb288b8e8029ac42ed9b601ae3984
                                                                • Opcode Fuzzy Hash: 3a375130dcb085843bca7b4c507283b64974f21f075840b2f9a20906a3516e1d
                                                                • Instruction Fuzzy Hash: 8F2145B5504244EFDB41CF84D9C1B2ABBA5FB98324F2485ADEA450B606C336D856CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628711657.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_10fd000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fea1d1323f9ad7ed484db58328b136caa8740b8ce1168f4ed4245b99573e3223
                                                                • Instruction ID: 464b9fc5346abc2fecae3592aeed87df8ed23b6b0711ac5131102920a48cd883
                                                                • Opcode Fuzzy Hash: fea1d1323f9ad7ed484db58328b136caa8740b8ce1168f4ed4245b99573e3223
                                                                • Instruction Fuzzy Hash: 742175B1504240EFDB01DF44D8C5B6BBFA5FB88328F2485ACEA450B607C736E806CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628743462.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_110d000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e2f63b85237a644d41a8c3fd99a6d91d9bbfc4ae01d13e5291e96bf9c9bc0992
                                                                • Instruction ID: 4bb2fb523ee2b4c280944731f6d135a8472c2dc4878cb553c06b14e125d42279
                                                                • Opcode Fuzzy Hash: e2f63b85237a644d41a8c3fd99a6d91d9bbfc4ae01d13e5291e96bf9c9bc0992
                                                                • Instruction Fuzzy Hash: 9E214871904244DFDF1ADF94E4C0B16BB65FB44354F24C569D80D4B28AC776D807CB62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628711657.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_10fd000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ec9bdf24f405aba6276b80bf4ca1a659a27303f531368fe8c9d5df908b5014d7
                                                                • Instruction ID: d8c63a47bc0fd2d556683b9abf3decb74642784b2fd7c5621e8223dfe61c129c
                                                                • Opcode Fuzzy Hash: ec9bdf24f405aba6276b80bf4ca1a659a27303f531368fe8c9d5df908b5014d7
                                                                • Instruction Fuzzy Hash: B611B176804280DFDB12CF54D5C9B56BFB1FB84324F2886ADD9450B617C336D45ACBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628711657.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_10fd000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ec9bdf24f405aba6276b80bf4ca1a659a27303f531368fe8c9d5df908b5014d7
                                                                • Instruction ID: 64fd08f6698754ce4c16efb8eb7f87d69f9fccbffbe00990ec91c53b955c8fb3
                                                                • Opcode Fuzzy Hash: ec9bdf24f405aba6276b80bf4ca1a659a27303f531368fe8c9d5df908b5014d7
                                                                • Instruction Fuzzy Hash: 2D11B176404280DFDB52CF54D5C4B16BFB1FB98324F2886ADD9450B61BC33AD45ACBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.628743462.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_110d000_xgnxoS8HWxonNHl.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f4de84cebcaf6e389506bac581f8d48d6e5c58bb6479c6da20064986341889bc
                                                                • Instruction ID: 1f200757c86a1fd6ff652ae8e708bd5d2f22fcbca043c6cb0004f8e9fefd9053
                                                                • Opcode Fuzzy Hash: f4de84cebcaf6e389506bac581f8d48d6e5c58bb6479c6da20064986341889bc
                                                                • Instruction Fuzzy Hash: 2211D075904280DFDB16CF54E5C4B15FF71FB44324F28C6A9D8094B69AC37AD44ACB62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%