Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FNK08uYGy6.exe

Overview

General Information

Sample Name:FNK08uYGy6.exe
Analysis ID:652380
MD5:72cc5b5f44195e211dc7ac0733a748f7
SHA1:a0d73e674f78d5baa77624e7129fca4725da9354
SHA256:ab67253603d59258d946d8fb222a5ddf33e381198858dde8361023845692bf8d
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • FNK08uYGy6.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\FNK08uYGy6.exe" MD5: 72CC5B5F44195E211DC7AC0733A748F7)
    • FNK08uYGy6.exe (PID: 6784 cmdline: C:\Users\user\Desktop\FNK08uYGy6.exe MD5: 72CC5B5F44195E211DC7AC0733A748F7)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "arinzelog@valete.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "arinze@valete.buzz"}
SourceRuleDescriptionAuthorStrings
00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x17430:$x1: $%SMTPDV$
        • 0x17446:$x2: $#TheHashHere%&
        • 0x187d8:$x3: %FTPDV$
        • 0x188a0:$x4: $%TelegramDv$
        • 0x14d6d:$x5: KeyLoggerEventArgs
        • 0x15103:$x5: KeyLoggerEventArgs
        • 0x18848:$m1: | Snake Keylogger
        • 0x18900:$m1: | Snake Keylogger
        • 0x18a54:$m1: | Snake Keylogger
        • 0x18b7a:$m1: | Snake Keylogger
        • 0x18cd4:$m1: | Snake Keylogger
        • 0x187fc:$m2: Clipboard Logs ID
        • 0x18a0a:$m2: Screenshot Logs ID
        • 0x18b1e:$m2: keystroke Logs ID
        • 0x18d0a:$m3: SnakePW
        • 0x189e2:$m4: \SnakeKeylogger\
        00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 27 entries
          SourceRuleDescriptionAuthorStrings
          6.2.FNK08uYGy6.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1b36e:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1a557:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x1a99e:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1bb1f:$a5: \Kometa\User Data\Default\Login Data
          6.2.FNK08uYGy6.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            6.2.FNK08uYGy6.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              6.2.FNK08uYGy6.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                6.2.FNK08uYGy6.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 73 entries
                  No Sigma rule has matched
                  Timestamp:192.168.2.3193.122.130.049742802842536 06/26/22-09:30:30.731763
                  SID:2842536
                  Source Port:49742
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: FNK08uYGy6.exeVirustotal: Detection: 39%Perma Link
                  Source: FNK08uYGy6.exeJoe Sandbox ML: detected
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.FNK08uYGy6.exe.400000.6.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.2.FNK08uYGy6.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.FNK08uYGy6.exe.400000.4.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.FNK08uYGy6.exe.400000.8.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.FNK08uYGy6.exe.400000.10.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "arinzelog@valete.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "arinze@valete.buzz"}
                  Source: FNK08uYGy6.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: FNK08uYGy6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 0258F539h6_2_0258F280
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 02587DC7h6_2_02587B08
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 0258FDE9h6_2_0258FB30
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 02588687h6_2_025883C9
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 025863D1h6_2_02586111
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 02587507h6_2_02587196
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 0258F0E1h6_2_0258EE28
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 0258F991h6_2_0258F6D8
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 02586B10h6_2_025866F8
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 02587967h6_2_025876A8
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 0258EC8Ah6_2_0258E758
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 02588227h6_2_02587F68
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 02585F70h6_2_02585587
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 02586B10h6_2_02586A3E
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_02584AA8
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 4x nop then jmp 02586B10h6_2_025866E8

                  Networking

                  barindex
                  Source: TrafficSnort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.3:49742 -> 193.122.130.0:80
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeDNS query: name: checkip.dyndns.org
                  Source: Yara matchFile source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.2587870.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
                  Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: FNK08uYGy6.exe, 00000006.00000002.523219009.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: FNK08uYGy6.exe, 00000006.00000002.523079314.0000000002901000.00000004.00000800.00020000.00000000.sdmp, FNK08uYGy6.exe, 00000006.00000002.523219009.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: FNK08uYGy6.exe, 00000006.00000002.523079314.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: FNK08uYGy6.exe, 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, FNK08uYGy6.exe, 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: FNK08uYGy6.exe, 00000006.00000002.523079314.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org4
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: FNK08uYGy6.exe, 00000006.00000002.523079314.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: FNK08uYGy6.exe, 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, FNK08uYGy6.exe, 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

                  System Summary

                  barindex
                  Source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.2587870.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: FNK08uYGy6.exe PID: 6368, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: FNK08uYGy6.exe PID: 6784, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: FNK08uYGy6.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.FNK08uYGy6.exe.2587870.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                  Source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: FNK08uYGy6.exe PID: 6368, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: FNK08uYGy6.exe PID: 6784, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 0_2_0097CB040_2_0097CB04
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 0_2_0097EF500_2_0097EF50
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 0_2_0097EF400_2_0097EF40
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_0258F2806_2_0258F280
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_02587B086_2_02587B08
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_0258FB306_2_0258FB30
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_025883C96_2_025883C9
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_02586B886_2_02586B88
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_025861116_2_02586111
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_025871966_2_02587196
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_0258EE286_2_0258EE28
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_0258F6D86_2_0258F6D8
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_025876A86_2_025876A8
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_0258E7586_2_0258E758
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_02587F686_2_02587F68
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_0258A45A6_2_0258A45A
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_02582C296_2_02582C29
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_025855876_2_02585587
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_02584A986_2_02584A98
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_02584AA86_2_02584AA8
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_02586B786_2_02586B78
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_025871DA6_2_025871DA
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_0258DFD06_2_0258DFD0
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_0258DFE06_2_0258DFE0
                  Source: FNK08uYGy6.exe, 00000000.00000002.287844848.00000000024E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloneHelper.dll4 vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exe, 00000000.00000000.248411823.0000000000172000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEnvironmentPermissionAttrib.exeF vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exe, 00000000.00000002.291294976.0000000006AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTweenEngineAPI.dllD vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exe, 00000000.00000002.288278278.00000000034E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTweenEngineAPI.dllD vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exe, 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exe, 00000000.00000002.287973283.000000000257F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNativeVariant.dll" vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exe, 00000000.00000002.287973283.000000000257F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exe, 00000006.00000000.283111637.0000000000582000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEnvironmentPermissionAttrib.exeF vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exe, 00000006.00000000.283542711.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exe, 00000006.00000002.522018022.0000000000937000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exeBinary or memory string: OriginalFilenameEnvironmentPermissionAttrib.exeF vs FNK08uYGy6.exe
                  Source: FNK08uYGy6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: FNK08uYGy6.exeVirustotal: Detection: 39%
                  Source: FNK08uYGy6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\FNK08uYGy6.exe "C:\Users\user\Desktop\FNK08uYGy6.exe"
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess created: C:\Users\user\Desktop\FNK08uYGy6.exe C:\Users\user\Desktop\FNK08uYGy6.exe
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess created: C:\Users\user\Desktop\FNK08uYGy6.exe C:\Users\user\Desktop\FNK08uYGy6.exeJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FNK08uYGy6.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: FNK08uYGy6.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: FNK08uYGy6.exe, UA/Dq.csCryptographic APIs: 'CreateDecryptor'
                  Source: FNK08uYGy6.exe, UA/Dq.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.FNK08uYGy6.exe.f0000.0.unpack, UA/Dq.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.FNK08uYGy6.exe.f0000.0.unpack, UA/Dq.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.0.FNK08uYGy6.exe.f0000.0.unpack, UA/Dq.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.FNK08uYGy6.exe.f0000.0.unpack, UA/Dq.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpack, u26ca?u060cufffd?/ufffdK??ufffd.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpack, ufffdudb0audf1au07b8?/?????.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.0.FNK08uYGy6.exe.500000.0.unpack, UA/Dq.csCryptographic APIs: 'CreateDecryptor'
                  Source: 6.0.FNK08uYGy6.exe.500000.0.unpack, UA/Dq.csCryptographic APIs: 'TransformFinalBlock'
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: FNK08uYGy6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: FNK08uYGy6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  Source: FNK08uYGy6.exe, UA/Dq.cs.Net Code: Oy System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.2.FNK08uYGy6.exe.f0000.0.unpack, UA/Dq.cs.Net Code: Oy System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.0.FNK08uYGy6.exe.f0000.0.unpack, UA/Dq.cs.Net Code: Oy System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.FNK08uYGy6.exe.500000.0.unpack, UA/Dq.cs.Net Code: Oy System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.FNK08uYGy6.exe.500000.1.unpack, UA/Dq.cs.Net Code: Oy System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.2.FNK08uYGy6.exe.500000.1.unpack, UA/Dq.cs.Net Code: Oy System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.FNK08uYGy6.exe.500000.13.unpack, UA/Dq.cs.Net Code: Oy System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.FNK08uYGy6.exe.500000.2.unpack, UA/Dq.cs.Net Code: Oy System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.FNK08uYGy6.exe.500000.3.unpack, UA/Dq.cs.Net Code: Oy System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.FNK08uYGy6.exe.500000.5.unpack, UA/Dq.cs.Net Code: Oy System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_02588F09 push FFFFFF8Bh; iretd 6_2_02588F0D
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.807452697270324
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.2587870.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.287973283.000000000257F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: FNK08uYGy6.exe PID: 6368, type: MEMORYSTR
                  Source: FNK08uYGy6.exe, 00000000.00000002.287973283.000000000257F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: FNK08uYGy6.exe, 00000000.00000002.287973283.000000000257F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exe TID: 6396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: FNK08uYGy6.exe, 00000000.00000002.287973283.000000000257F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: FNK08uYGy6.exe, 00000000.00000002.287973283.000000000257F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: FNK08uYGy6.exe, 00000000.00000002.287973283.000000000257F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: FNK08uYGy6.exe, 00000000.00000002.287973283.000000000257F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeCode function: 6_2_02586B88 LdrInitializeThunk,6_2_02586B88
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpack, ufffdudb0audf1au07b8?/?????.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.FNK08uYGy6.exe.400000.12.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: 6.0.FNK08uYGy6.exe.400000.6.unpack, ufffdudb0audf1au07b8?/?????.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.FNK08uYGy6.exe.400000.6.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: 6.2.FNK08uYGy6.exe.400000.0.unpack, ufffdudb0audf1au07b8?/?????.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.2.FNK08uYGy6.exe.400000.0.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: 6.0.FNK08uYGy6.exe.400000.4.unpack, ufffdudb0audf1au07b8?/?????.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.FNK08uYGy6.exe.400000.4.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeProcess created: C:\Users\user\Desktop\FNK08uYGy6.exe C:\Users\user\Desktop\FNK08uYGy6.exeJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Users\user\Desktop\FNK08uYGy6.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Users\user\Desktop\FNK08uYGy6.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: FNK08uYGy6.exe PID: 6368, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: FNK08uYGy6.exe PID: 6784, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Source: C:\Users\user\Desktop\FNK08uYGy6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: Yara matchFile source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: FNK08uYGy6.exe PID: 6368, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: FNK08uYGy6.exe PID: 6784, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 6.2.FNK08uYGy6.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.378d3f0.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.374bdb0.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.FNK08uYGy6.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.FNK08uYGy6.exe.376d7d0.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: FNK08uYGy6.exe PID: 6368, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: FNK08uYGy6.exe PID: 6784, type: MEMORYSTR
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts1
                  Native API
                  Path Interception11
                  Process Injection
                  1
                  Masquerading
                  2
                  OS Credential Dumping
                  11
                  Security Software Discovery
                  Remote Services1
                  Email Collection
                  Exfiltration Over Other Network Medium1
                  Encrypted Channel
                  Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools
                  LSASS Memory1
                  Process Discovery
                  Remote Desktop Protocol11
                  Archive Collected Data
                  Exfiltration Over Bluetooth1
                  Ingress Tool Transfer
                  Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                  Virtualization/Sandbox Evasion
                  Security Account Manager21
                  Virtualization/Sandbox Evasion
                  SMB/Windows Admin Shares2
                  Data from Local System
                  Automated Exfiltration2
                  Non-Application Layer Protocol
                  Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                  Process Injection
                  NTDS1
                  Remote System Discovery
                  Distributed Component Object ModelInput CaptureScheduled Transfer12
                  Application Layer Protocol
                  SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information
                  LSA Secrets1
                  System Network Configuration Discovery
                  SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common3
                  Obfuscated Files or Information
                  Cached Domain Credentials13
                  System Information Discovery
                  VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                  Software Packing
                  DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  FNK08uYGy6.exe39%VirustotalBrowse
                  FNK08uYGy6.exe100%Joe Sandbox ML
                  No Antivirus matches
                  SourceDetectionScannerLabelLinkDownload
                  6.0.FNK08uYGy6.exe.400000.12.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.FNK08uYGy6.exe.400000.6.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.2.FNK08uYGy6.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.FNK08uYGy6.exe.400000.4.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.FNK08uYGy6.exe.400000.8.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.FNK08uYGy6.exe.400000.10.unpack100%AviraTR/ATRAPS.GenDownload File
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://checkip.dyndns.org40%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  checkip.dyndns.com
                  193.122.130.0
                  truetrue
                    unknown
                    checkip.dyndns.org
                    unknown
                    unknowntrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/true
                      • URL Reputation: safe
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.comFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.fontbureau.com/designersGFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.fontbureau.com/designers/?FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.founder.com.cn/cn/bTheFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://api.telegram.org/botFNK08uYGy6.exe, 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, FNK08uYGy6.exe, 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                high
                                http://www.fontbureau.com/designers?FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.tiro.comFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://checkip.dyndns.orgFNK08uYGy6.exe, 00000006.00000002.523079314.0000000002901000.00000004.00000800.00020000.00000000.sdmp, FNK08uYGy6.exe, 00000006.00000002.523219009.00000000029A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designersFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.goodfont.co.krFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.carterandcone.comlFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.sajatypeworks.comFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://checkip.dyndns.org4FNK08uYGy6.exe, 00000006.00000002.523079314.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.typography.netDFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.founder.com.cn/cn/cTheFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://fontfabrik.comFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.founder.com.cn/cnFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://checkip.dyndns.org/qFNK08uYGy6.exe, 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, FNK08uYGy6.exe, 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.jiyu-kobo.co.jp/FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/DPleaseFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers8FNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.fonts.comFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.sandoll.co.krFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://checkip.dyndns.comFNK08uYGy6.exe, 00000006.00000002.523219009.00000000029A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.urwpp.deDPleaseFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.zhongyicts.com.cnFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFNK08uYGy6.exe, 00000006.00000002.523079314.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.sakkal.comFNK08uYGy6.exe, 00000000.00000002.290165836.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs
                                              IPDomainCountryFlagASNASN NameMalicious
                                              193.122.130.0
                                              checkip.dyndns.comUnited States
                                              31898ORACLE-BMC-31898UStrue
                                              Joe Sandbox Version:35.0.0 Citrine
                                              Analysis ID:652380
                                              Start date and time: 26/06/202209:29:052022-06-26 09:29:05 +02:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 11m 16s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:FNK08uYGy6.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:27
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 38
                                              • Number of non-executed functions: 4
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                              • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, go.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              TimeTypeDescription
                                              09:30:21API Interceptor1x Sleep call for process: FNK08uYGy6.exe modified
                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              193.122.130.0MV SEA EVERGOLD.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              4vQAHpapFz.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              aercUUUX2C.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              CUSTOMER REQUEST.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              Import shipment.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              tka30O3OZN.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              ViAKIk7T7X.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              qzzwd4Mg1N.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              4008765678900--98765.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              F96UcEk8Z9.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              t5nmFGhdVA.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              Order Details.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              uc2RxH8hO7.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              gsjRXEqpy51bLEm.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              RFQ_5076414.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              0043302751 22062022 pdf.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              SecuriteInfo.com.Trojan.DownloaderNET.345.29836.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              Remittance Advice.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              ORDEN DE COMPRA.001.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              checkip.dyndns.comMV CHINALAND.exeGet hashmaliciousBrowse
                                              • 158.101.44.242
                                              Import shipment.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              MV SEA EVERGOLD.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              4vQAHpapFz.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              SecuriteInfo.com.IL.Trojan.MSILZilla.16190.26221.exeGet hashmaliciousBrowse
                                              • 193.122.6.168
                                              gD5LFrPtfc.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              aercUUUX2C.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              vSgQo7dqYG.exeGet hashmaliciousBrowse
                                              • 158.101.44.242
                                              MV CHINALAND.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              22017_TIEM2 - RFQ.exeGet hashmaliciousBrowse
                                              • 158.101.44.242
                                              CUSTOMER REQUEST.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              Import shipment.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              tka30O3OZN.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              MV SEA EVERGOLD.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              Docume001.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              ViAKIk7T7X.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              qzzwd4Mg1N.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              4008765678900--98765.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              MV SEA EVERGOLD.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              ORACLE-BMC-31898USMV CHINALAND.exeGet hashmaliciousBrowse
                                              • 158.101.44.242
                                              MV SEA EVERGOLD.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              4vQAHpapFz.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              SecuriteInfo.com.IL.Trojan.MSILZilla.16190.26221.exeGet hashmaliciousBrowse
                                              • 193.122.6.168
                                              aercUUUX2C.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              vSgQo7dqYG.exeGet hashmaliciousBrowse
                                              • 158.101.44.242
                                              22017_TIEM2 - RFQ.exeGet hashmaliciousBrowse
                                              • 158.101.44.242
                                              CUSTOMER REQUEST.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              Import shipment.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              tka30O3OZN.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              ViAKIk7T7X.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              qzzwd4Mg1N.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              4008765678900--98765.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              https://wallpaperaccess.com/miami-nightGet hashmaliciousBrowse
                                              • 150.136.25.38
                                              b8sqHJocuX.exeGet hashmaliciousBrowse
                                              • 193.122.6.168
                                              report.exeGet hashmaliciousBrowse
                                              • 193.122.6.168
                                              F96UcEk8Z9.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              t5nmFGhdVA.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              Payment Copy.exeGet hashmaliciousBrowse
                                              • 193.122.6.168
                                              No context
                                              No context
                                              Process:C:\Users\user\Desktop\FNK08uYGy6.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.797440786688109
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:FNK08uYGy6.exe
                                              File size:521728
                                              MD5:72cc5b5f44195e211dc7ac0733a748f7
                                              SHA1:a0d73e674f78d5baa77624e7129fca4725da9354
                                              SHA256:ab67253603d59258d946d8fb222a5ddf33e381198858dde8361023845692bf8d
                                              SHA512:9c80f5d541bbad89460ebac2a00d841f0fab177b6996338ac76df2d5d818bf1f0e9388e0e8b1a56b390a2502143f1a6352c58ed2e66f2493c0e8383d25d85535
                                              SSDEEP:12288:jOEH2iNDkPRxliW1IQS4evLfoILnwsTDxLzueC41jov26z:b1pkPRrhIQSvvLgowsnxzdd1G2O
                                              TLSH:84B4F184F3654DA9D09357B4C8EDE1041263F74A96BEC616B4FE360EC5723EA41A3E0B
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0.............~.... ... ....@.. .......................`............@................................
                                              Icon Hash:00828e8e8686b000
                                              Entrypoint:0x480c7e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x62B7C615 [Sun Jun 26 02:36:05 2022 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x80c300x4b.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x3e4.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x7ec840x7ee00False0.8623075738916256data7.807452697270324IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x820000x3e40x400False0.3876953125data3.110715766265863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x840000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x820580x38cPGP symmetric key encrypted data - Plaintext or unencrypted data
                                              DLLImport
                                              mscoree.dll_CorExeMain
                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              192.168.2.3193.122.130.049742802842536 06/26/22-09:30:30.731763TCP2842536ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check4974280192.168.2.3193.122.130.0
                                              TimestampSource PortDest PortSource IPDest IP
                                              Jun 26, 2022 09:30:30.623353958 CEST4974280192.168.2.3193.122.130.0
                                              Jun 26, 2022 09:30:30.731216908 CEST8049742193.122.130.0192.168.2.3
                                              Jun 26, 2022 09:30:30.731317997 CEST4974280192.168.2.3193.122.130.0
                                              Jun 26, 2022 09:30:30.731762886 CEST4974280192.168.2.3193.122.130.0
                                              Jun 26, 2022 09:30:30.839421988 CEST8049742193.122.130.0192.168.2.3
                                              Jun 26, 2022 09:30:31.840404987 CEST8049742193.122.130.0192.168.2.3
                                              Jun 26, 2022 09:30:31.980557919 CEST4974280192.168.2.3193.122.130.0
                                              Jun 26, 2022 09:31:36.840686083 CEST8049742193.122.130.0192.168.2.3
                                              Jun 26, 2022 09:31:36.840861082 CEST4974280192.168.2.3193.122.130.0
                                              Jun 26, 2022 09:32:11.872819901 CEST4974280192.168.2.3193.122.130.0
                                              Jun 26, 2022 09:32:11.982700109 CEST8049742193.122.130.0192.168.2.3
                                              TimestampSource PortDest PortSource IPDest IP
                                              Jun 26, 2022 09:30:30.536204100 CEST5641753192.168.2.38.8.8.8
                                              Jun 26, 2022 09:30:30.555058002 CEST53564178.8.8.8192.168.2.3
                                              Jun 26, 2022 09:30:30.571269989 CEST5592353192.168.2.38.8.8.8
                                              Jun 26, 2022 09:30:30.590084076 CEST53559238.8.8.8192.168.2.3
                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Jun 26, 2022 09:30:30.536204100 CEST192.168.2.38.8.8.80xc440Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                              Jun 26, 2022 09:30:30.571269989 CEST192.168.2.38.8.8.80x25b8Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Jun 26, 2022 09:30:30.555058002 CEST8.8.8.8192.168.2.30xc440No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                              Jun 26, 2022 09:30:30.555058002 CEST8.8.8.8192.168.2.30xc440No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                              Jun 26, 2022 09:30:30.555058002 CEST8.8.8.8192.168.2.30xc440No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                              Jun 26, 2022 09:30:30.555058002 CEST8.8.8.8192.168.2.30xc440No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                              Jun 26, 2022 09:30:30.555058002 CEST8.8.8.8192.168.2.30xc440No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                              Jun 26, 2022 09:30:30.555058002 CEST8.8.8.8192.168.2.30xc440No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                              Jun 26, 2022 09:30:30.590084076 CEST8.8.8.8192.168.2.30x25b8No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                              Jun 26, 2022 09:30:30.590084076 CEST8.8.8.8192.168.2.30x25b8No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                              Jun 26, 2022 09:30:30.590084076 CEST8.8.8.8192.168.2.30x25b8No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                              Jun 26, 2022 09:30:30.590084076 CEST8.8.8.8192.168.2.30x25b8No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                              Jun 26, 2022 09:30:30.590084076 CEST8.8.8.8192.168.2.30x25b8No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                              Jun 26, 2022 09:30:30.590084076 CEST8.8.8.8192.168.2.30x25b8No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                              • checkip.dyndns.org
                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.349742193.122.130.080C:\Users\user\Desktop\FNK08uYGy6.exe
                                              TimestampkBytes transferredDirectionData
                                              Jun 26, 2022 09:30:30.731762886 CEST1253OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jun 26, 2022 09:30:31.840404987 CEST1253INHTTP/1.1 200 OK
                                              Date: Sun, 26 Jun 2022 07:30:31 GMT
                                              Content-Type: text/html
                                              Content-Length: 106
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 36 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.143.61</body></html>


                                              Click to jump to process

                                              Click to jump to process

                                              Click to dive into process behavior distribution

                                              Click to jump to process

                                              Target ID:0
                                              Start time:09:30:08
                                              Start date:26/06/2022
                                              Path:C:\Users\user\Desktop\FNK08uYGy6.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\FNK08uYGy6.exe"
                                              Imagebase:0xf0000
                                              File size:521728 bytes
                                              MD5 hash:72CC5B5F44195E211DC7AC0733A748F7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.287973283.000000000257F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.288825320.000000000374B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                              Reputation:low

                                              Target ID:6
                                              Start time:09:30:23
                                              Start date:26/06/2022
                                              Path:C:\Users\user\Desktop\FNK08uYGy6.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\FNK08uYGy6.exe
                                              Imagebase:0x500000
                                              File size:521728 bytes
                                              MD5 hash:72CC5B5F44195E211DC7AC0733A748F7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.284449662.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.283485008.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000002.521292876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.282580370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.283915809.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              Reputation:low

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:12.7%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:80
                                                Total number of Limit Nodes:3
                                                execution_graph 9541 97c070 9542 97c0d6 9541->9542 9546 97c230 9542->9546 9549 97c220 9542->9549 9543 97c185 9553 97aa9c 9546->9553 9550 97c230 9549->9550 9551 97aa9c DuplicateHandle 9550->9551 9552 97c25e 9551->9552 9552->9543 9554 97c298 DuplicateHandle 9553->9554 9556 97c25e 9554->9556 9556->9543 9557 979c78 9560 979d70 9557->9560 9558 979c87 9561 979d83 9560->9561 9562 979d9b 9561->9562 9567 979ff8 9561->9567 9562->9558 9563 979d93 9563->9562 9564 979f98 GetModuleHandleW 9563->9564 9565 979fc5 9564->9565 9565->9558 9568 97a00c 9567->9568 9569 97a031 9568->9569 9571 9790f0 9568->9571 9569->9563 9572 97a1d8 LoadLibraryExW 9571->9572 9574 97a251 9572->9574 9574->9569 9575 9740e8 9576 974105 9575->9576 9577 974115 9576->9577 9585 974248 9576->9585 9581 973c78 9577->9581 9582 973c83 9581->9582 9590 976e10 9582->9590 9584 97719f 9586 97426d 9585->9586 9636 974338 9586->9636 9640 974348 9586->9640 9591 976e1b 9590->9591 9594 976e40 9591->9594 9593 97740d 9593->9584 9595 976e4b 9594->9595 9598 976e70 9595->9598 9597 9774e2 9597->9593 9599 976e7b 9598->9599 9602 976ea0 9599->9602 9601 9775e2 9601->9597 9603 976eab 9602->9603 9604 977d3c 9603->9604 9606 97bda8 9603->9606 9604->9601 9608 97bdc9 9606->9608 9607 97bded 9607->9604 9608->9607 9610 97bf58 9608->9610 9612 97bf65 9610->9612 9613 97bf9f 9612->9613 9614 97aa14 9612->9614 9613->9607 9615 97aa1f 9614->9615 9617 97cc98 9615->9617 9618 97c834 9615->9618 9617->9617 9619 97c83f 9618->9619 9620 976ea0 2 API calls 9619->9620 9621 97cd07 9620->9621 9625 97ea78 9621->9625 9630 97ea88 9621->9630 9622 97cd40 9622->9617 9627 97ea88 9625->9627 9626 97eac5 9626->9622 9627->9626 9628 97eef8 LoadLibraryExW GetModuleHandleW 9627->9628 9629 97ef08 LoadLibraryExW GetModuleHandleW 9627->9629 9628->9626 9629->9626 9631 97eab9 9630->9631 9633 97eb05 9630->9633 9632 97eac5 9631->9632 9634 97eef8 LoadLibraryExW GetModuleHandleW 9631->9634 9635 97ef08 LoadLibraryExW GetModuleHandleW 9631->9635 9632->9622 9633->9622 9634->9633 9635->9633 9638 97436f 9636->9638 9637 97444c 9637->9637 9638->9637 9644 973e64 9638->9644 9642 97436f 9640->9642 9641 97444c 9641->9641 9642->9641 9643 973e64 CreateActCtxA 9642->9643 9643->9641 9645 9753d8 CreateActCtxA 9644->9645 9647 97549b 9645->9647

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 979d70-979d85 call 977a54 3 979d87-979d95 call 979ff8 0->3 4 979d9b-979d9f 0->4 3->4 8 979ed0-979f90 3->8 5 979db3-979df4 4->5 6 979da1-979dab 4->6 11 979df6-979dfe 5->11 12 979e01-979e0f 5->12 6->5 48 979f92-979f95 8->48 49 979f98-979fc3 GetModuleHandleW 8->49 11->12 13 979e33-979e35 12->13 14 979e11-979e16 12->14 18 979e38-979e3f 13->18 16 979e21 14->16 17 979e18-979e1f call 979098 14->17 21 979e23-979e31 16->21 17->21 22 979e41-979e49 18->22 23 979e4c-979e53 18->23 21->18 22->23 25 979e55-979e5d 23->25 26 979e60-979e69 call 9790a8 23->26 25->26 31 979e76-979e7b 26->31 32 979e6b-979e73 26->32 33 979e7d-979e84 31->33 34 979e99-979e9d 31->34 32->31 33->34 35 979e86-979e96 call 9790b8 call 9790c8 33->35 53 979ea0 call 97a2f0 34->53 54 979ea0 call 97a300 34->54 35->34 38 979ea3-979ea6 41 979ec9-979ecf 38->41 42 979ea8-979ec6 38->42 42->41 48->49 50 979fc5-979fcb 49->50 51 979fcc-979fe0 49->51 50->51 53->38 54->38
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00979FB6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 7ee475d9ba170ad67568d4c3effe5d24dffce9361d2db1f198229d0d82938e4d
                                                • Instruction ID: 6d6fd523cb9339d07fb325f73543e6b4565c9c99dbf4eebb4ecf647955780bae
                                                • Opcode Fuzzy Hash: 7ee475d9ba170ad67568d4c3effe5d24dffce9361d2db1f198229d0d82938e4d
                                                • Instruction Fuzzy Hash: 58712371A00B058FDB24DF2AD14179ABBF5FF88314F00892DE58ADBA40E775E9498F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 56 9753cc-975499 CreateActCtxA 58 9754a2-9754fc 56->58 59 97549b-9754a1 56->59 66 9754fe-975501 58->66 67 97550b-97550f 58->67 59->58 66->67 68 975511-97551d 67->68 69 975520 67->69 68->69 71 975521 69->71 71->71
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00975489
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 7cfeaeb432f3028ecf7009d0bd741ebfcc108e07cf070a32179f4e94aadc1a5c
                                                • Instruction ID: 176928fc2fff5b62f6ad58ed074a3103fdc77ed7a40019050fb365f114f5a36f
                                                • Opcode Fuzzy Hash: 7cfeaeb432f3028ecf7009d0bd741ebfcc108e07cf070a32179f4e94aadc1a5c
                                                • Instruction Fuzzy Hash: B6410571D04619CFDB24CF99C884BDEBBB1FF48308F218029D409AB251DB75698ACF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 89 97c358-97c365 90 97c367-97c486 89->90 91 97c2fd-97c32c DuplicateHandle 89->91 92 97c335-97c352 91->92 93 97c32e-97c334 91->93 93->92
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0097C25E,?,?,?,?,?), ref: 0097C31F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: f8905e5c27f671519f37680732d226b994956a525aa0e727ee131b59b13022e8
                                                • Instruction ID: d9d406112a240a6b2ca08086170e96cea5590d6d054522ac406f3a676e4d2c47
                                                • Opcode Fuzzy Hash: f8905e5c27f671519f37680732d226b994956a525aa0e727ee131b59b13022e8
                                                • Instruction Fuzzy Hash: B6415EB8E443449FE700EF60E84A7693BB9FB88342F144429E9065F3DAD7B46812CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 72 973e64-975499 CreateActCtxA 75 9754a2-9754fc 72->75 76 97549b-9754a1 72->76 83 9754fe-975501 75->83 84 97550b-97550f 75->84 76->75 83->84 85 975511-97551d 84->85 86 975520 84->86 85->86 88 975521 86->88 88->88
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00975489
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: d591e31c37b1e77b636ba9baf14fd1a27f18e6718afe11d15f760da5953b748d
                                                • Instruction ID: 8201b0addda4fd59ccd352c53722826721275188032e5a638e0d3b219f327045
                                                • Opcode Fuzzy Hash: d591e31c37b1e77b636ba9baf14fd1a27f18e6718afe11d15f760da5953b748d
                                                • Instruction Fuzzy Hash: 3341E471C04718CFDB24DFA9C884B8EBBB5BF48308F258069D509BB255DBB56986CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 107 97aa9c-97c32c DuplicateHandle 110 97c335-97c352 107->110 111 97c32e-97c334 107->111 111->110
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0097C25E,?,?,?,?,?), ref: 0097C31F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: fd8c0f4218b7bd540ce2782c432ac74aef6f50bf8371c4b338306df8a7fa2ecd
                                                • Instruction ID: 099b8ed74129a6cc1c52400a2d64b853480b9ff730219d000d4af5d2436ba81e
                                                • Opcode Fuzzy Hash: fd8c0f4218b7bd540ce2782c432ac74aef6f50bf8371c4b338306df8a7fa2ecd
                                                • Instruction Fuzzy Hash: 6221C6B59047099FDB10CF99D984ADEBBF8EB48314F14842AE919B7310D378A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 114 97c290-97c2fa 115 97c2fd-97c32c DuplicateHandle 114->115 116 97c335-97c352 115->116 117 97c32e-97c334 115->117 117->116
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0097C25E,?,?,?,?,?), ref: 0097C31F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 69cf696ffca69734a9d9a63fbea25799da29db07aabd45f8582ec30a83b0c189
                                                • Instruction ID: fa13b6bece5727d4309b687892ae940120bb7d2ca36c006b3b53165a5ee38485
                                                • Opcode Fuzzy Hash: 69cf696ffca69734a9d9a63fbea25799da29db07aabd45f8582ec30a83b0c189
                                                • Instruction Fuzzy Hash: F921C4B6D01649DFDB10CFA9D984ADEBBF4FB48314F14842AE914A7210D378A994CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 120 9790f0-97a218 122 97a220-97a24f LoadLibraryExW 120->122 123 97a21a-97a21d 120->123 124 97a251-97a257 122->124 125 97a258-97a275 122->125 123->122 124->125
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0097A031,00000800,00000000,00000000), ref: 0097A242
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: d924d9aee8e77309d1bb80466cc4a4f72ac9ad4ad985a46e2d3decde9160641d
                                                • Instruction ID: ac2c65aa43983a128eddddac151c9e0a1acc45b31afeb5260c592b1e34ae89ca
                                                • Opcode Fuzzy Hash: d924d9aee8e77309d1bb80466cc4a4f72ac9ad4ad985a46e2d3decde9160641d
                                                • Instruction Fuzzy Hash: 0C1129B69043489FDB10CF9AD444ADEFBF4EB88314F11842ED929B7600C379A945CFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 128 97a1d0-97a218 130 97a220-97a24f LoadLibraryExW 128->130 131 97a21a-97a21d 128->131 132 97a251-97a257 130->132 133 97a258-97a275 130->133 131->130 132->133
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0097A031,00000800,00000000,00000000), ref: 0097A242
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: ac2cdb932470551bc1855e6190925416fc48cb623b6327086c30675837b622c7
                                                • Instruction ID: 0ea2845f303650ffa6591adfc3517dc7a8c9953014bded634e7c561e5bfed76d
                                                • Opcode Fuzzy Hash: ac2cdb932470551bc1855e6190925416fc48cb623b6327086c30675837b622c7
                                                • Instruction Fuzzy Hash: 721159B6C002088FCB10CF99D544BDEFBF4AB88314F14842ED429B7200C375A945CFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 136 979f50-979f90 137 979f92-979f95 136->137 138 979f98-979fc3 GetModuleHandleW 136->138 137->138 139 979fc5-979fcb 138->139 140 979fcc-979fe0 138->140 139->140
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00979FB6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 25d1d941f943b1bf61946501d290f7abfa697a65e34ac9a04443a81135a80321
                                                • Instruction ID: c9faed6b6d7a680807ea9eb3f4bf1a9556c2bfa1907a21bc211938d7af08a488
                                                • Opcode Fuzzy Hash: 25d1d941f943b1bf61946501d290f7abfa697a65e34ac9a04443a81135a80321
                                                • Instruction Fuzzy Hash: 0911D2B6C006498FDB10CF9AD444ADEFBF4EB89324F15C42AD419A7600D378A945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287197347.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_91d000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8616186e7c4edc14d0b079b3fb0d1581e4cff0790478436781d9baffce915c7
                                                • Instruction ID: f447a6702ba3e3c3d6c5af7f80cb1cd989e207053bdf248414017c00994ebccc
                                                • Opcode Fuzzy Hash: f8616186e7c4edc14d0b079b3fb0d1581e4cff0790478436781d9baffce915c7
                                                • Instruction Fuzzy Hash: D2214FB1604248DFDB04CF10D9C0B57BF65FB98324F24C569D9054B2D6C33AE896C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287272808.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_92d000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b6992fc3f6963012158d4bffa02b76cf36f54a168519df358f9942584d39a39
                                                • Instruction ID: 11e045220b4c091cbc5fc1f456b56584f3ae26f3cf0963226d408597e897e2cf
                                                • Opcode Fuzzy Hash: 4b6992fc3f6963012158d4bffa02b76cf36f54a168519df358f9942584d39a39
                                                • Instruction Fuzzy Hash: BF213BB1509244DFDB05CF10E5C0B26BB65FB84318F34C9ADD9194B34AC33AD846CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287272808.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_92d000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 58cee14b8d97909b070966282784e4bdd7bc25bcdffd8e5234d47c02304dab38
                                                • Instruction ID: b710712abdc6e9eb1041b441e2f57d81ea524bd706e0df6d3d934355d3b8ebfd
                                                • Opcode Fuzzy Hash: 58cee14b8d97909b070966282784e4bdd7bc25bcdffd8e5234d47c02304dab38
                                                • Instruction Fuzzy Hash: 49210775548244DFDB14DF10E5C4B26BB65FB84314F24C9A9D9094B39AC33AD847CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287272808.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_92d000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03873395384709d14937ffb0d37f22d81a822ba634c500a68d8ebab02ca91127
                                                • Instruction ID: 75bd7af36cd994815ca9c3ac91052dc08d111beb56d3bf6e7222b73a1c9c46d2
                                                • Opcode Fuzzy Hash: 03873395384709d14937ffb0d37f22d81a822ba634c500a68d8ebab02ca91127
                                                • Instruction Fuzzy Hash: D7218E755493C08FCB12CF20D994B15BF71EB46314F28C5EAD8498B6A7C33AD80ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287197347.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_91d000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 249e2a8715e8c168eb2f5c56b923afe4400075be2633ad0d149fe07b0bffcafe
                                                • Instruction ID: 827572542a0fac1e7e7211c5eafeed563acbc3fdb46529e9bc7d936ec1808941
                                                • Opcode Fuzzy Hash: 249e2a8715e8c168eb2f5c56b923afe4400075be2633ad0d149fe07b0bffcafe
                                                • Instruction Fuzzy Hash: E811E676504284DFDF15CF10D5C4B56BF71FB98324F24C6A9D8090B6A6C33AE89ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287272808.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_92d000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f2164aac52e5a4f6a7680a53269498cc75e1f34bdd9858cea068968916b4300
                                                • Instruction ID: 961d78b960254a0db3cd054a3ec2c6bc450eec16f46fad5d21c9bc1975927f39
                                                • Opcode Fuzzy Hash: 6f2164aac52e5a4f6a7680a53269498cc75e1f34bdd9858cea068968916b4300
                                                • Instruction Fuzzy Hash: 99119D75904280DFDB11CF10D5C4B15FBB1FB84324F28C6ADD8494B65AC33AD85ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287197347.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_91d000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e56b6f0a17ab1a7ecbf0dda4f1e1a78f2c4e0cbe4ea0dce0bd1b4889488bde8
                                                • Instruction ID: 36f3ecf3d4144bd84dac52135da273a6fc3f73d51c3b6fb3b0b753461423621c
                                                • Opcode Fuzzy Hash: 0e56b6f0a17ab1a7ecbf0dda4f1e1a78f2c4e0cbe4ea0dce0bd1b4889488bde8
                                                • Instruction Fuzzy Hash: 9301ACB150D3889AE7109E15CD84BA6BB9CEF41374F18C559EA045A2C6D37998C4C6B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287197347.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_91d000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6710b0e323781ebf1ff4d4851d56e86c5a4bd1fb1031c3901e6fa67dd915858c
                                                • Instruction ID: c42926dc1fad5a11dad89668182df15e839ca5f36aae92e6d2596e5d3b97df44
                                                • Opcode Fuzzy Hash: 6710b0e323781ebf1ff4d4851d56e86c5a4bd1fb1031c3901e6fa67dd915858c
                                                • Instruction Fuzzy Hash: 84F068B15053849EE7108E15DC88BA2FF9CEB51734F18C45AED045B286C3799884CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7bfb908a4374029bcbdc1c5f4cef74cdd06d4b2012ebd1aeabd2e99a5f9d20d
                                                • Instruction ID: 03175c93437727a70aa3a7c45f908022bb1cc8dd4d89529a213754f09ecd0445
                                                • Opcode Fuzzy Hash: a7bfb908a4374029bcbdc1c5f4cef74cdd06d4b2012ebd1aeabd2e99a5f9d20d
                                                • Instruction Fuzzy Hash: 6B12D7F9C917468AD315CF66E8881893BB8B755328FF04B08D2617AAD1D7B4316ACF84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b53f185d4aeebbf0fb14d59fcf6f507c4b9d83cc40be0f0bf74cf0d5b9b3d136
                                                • Instruction ID: 39a4738cb54850c889cb06aaec3e498100f4b8463cf8a5f64cbcf1d538eaffdf
                                                • Opcode Fuzzy Hash: b53f185d4aeebbf0fb14d59fcf6f507c4b9d83cc40be0f0bf74cf0d5b9b3d136
                                                • Instruction Fuzzy Hash: AEA18072E006198FCF05DFA5C8455DDBBB6FFC8300B1585AAE919BB221EB31A955CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.287389117.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_970000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fa670e3f379a5a33744ccc3ca4eddec7952f41f6cd43a4e7f14fa9e41f15622
                                                • Instruction ID: 1b066a6007f8fc300d380c328f9c8a43073d4a7844268862e20e32481e2d4fc8
                                                • Opcode Fuzzy Hash: 8fa670e3f379a5a33744ccc3ca4eddec7952f41f6cd43a4e7f14fa9e41f15622
                                                • Instruction Fuzzy Hash: D4C179F5C917468AD715CF66E8881893BB8BB95328FB04B08D2213F6D0D7B4306ACF84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:14.5%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:66.7%
                                                Total number of Nodes:15
                                                Total number of Limit Nodes:0
                                                execution_graph 8748 2583460 8749 258347c 8748->8749 8750 2583505 KiUserExceptionDispatcher 8749->8750 8755 2586111 8750->8755 8751 2583513 8759 25883c9 8751->8759 8752 2583536 8756 2586142 KiUserExceptionDispatcher 8755->8756 8758 25861fe 8756->8758 8758->8751 8762 25883fa 8759->8762 8760 25887df 8760->8752 8761 2588549 KiUserExceptionDispatcher 8761->8762 8762->8760 8762->8761 8763 2585587 8764 2585598 LdrInitializeThunk 8763->8764 8766 2585653 8764->8766

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 550 2585587-2585596 551 2585598-2585599 550->551 552 258559a-25855b8 550->552 551->552 553 25855ba 552->553 554 25855bf-258564c LdrInitializeThunk 552->554 553->554 555 2585653-258571b 554->555 562 2585fb4-2585fd3 555->562 563 2585fd9-258600e 562->563 564 2585720-258572c 562->564 565 258572e 564->565 566 2585733-2585799 564->566 565->566 571 258579b 566->571 572 25857a0-258582d 566->572 571->572 578 258583f-2585846 572->578 579 258582f-2585836 572->579 582 2585848 578->582 583 258584d-258585a 578->583 580 2585838 579->580 581 258583d 579->581 580->581 581->583 582->583 584 258585c 583->584 585 2585861-2585868 583->585 584->585 586 258586a 585->586 587 258586f-25858c6 585->587 586->587 590 25858c8 587->590 591 25858cd-25858e4 587->591 590->591 592 25858ef-25858f7 591->592 593 25858e6-25858ed 591->593 594 25858f8-2585902 592->594 593->594 595 2585909-2585912 594->595 596 2585904 594->596 597 2585f84-2585f8a 595->597 596->595 598 2585f90-2585faa 597->598 599 2585917-2585923 597->599 607 2585fac 598->607 608 2585fb1 598->608 600 258592a-258592f 599->600 601 2585925 599->601 602 2585931-258593d 600->602 603 2585972-2585974 600->603 601->600 605 258593f 602->605 606 2585944-2585949 602->606 609 258597a-258598e 603->609 605->606 606->603 610 258594b-2585958 606->610 607->608 608->562 611 2585f62-2585f6f 609->611 612 2585994-25859a9 609->612 616 258595a 610->616 617 258595f-2585970 610->617 615 2585f70-2585f7a 611->615 613 25859ab 612->613 614 25859b0-2585a30 612->614 613->614 624 2585a5a 614->624 625 2585a32-2585a58 614->625 618 2585f7c 615->618 619 2585f81 615->619 616->617 617->609 618->619 619->597 626 2585a64-2585a78 624->626 625->626 627 2585a7e-2585a88 626->627 628 2585bc1-2585bc6 626->628 630 2585a8a 627->630 631 2585a8f-2585aa9 627->631 632 2585bc8-2585be8 628->632 633 2585c2a-2585c2c 628->633 630->631 634 2585aab-2585ab5 631->634 635 2585ac0-2585ac2 631->635 643 2585bea-2585c10 632->643 644 2585c12 632->644 636 2585c32-2585c46 633->636 638 2585abc-2585abf 634->638 639 2585ab7 634->639 640 2585b4c-2585b58 635->640 641 2585f5c-2585f5d 636->641 642 2585c4c-2585c56 636->642 638->635 639->638 645 2585b5a 640->645 646 2585b5f-2585b64 640->646 649 2585f5e-2585f60 641->649 647 2585c58 642->647 648 2585c5d-2585c77 642->648 652 2585c1c-2585c28 643->652 644->652 645->646 653 2585b8b-2585b8d 646->653 654 2585b66-2585b73 646->654 647->648 650 2585c79-2585c83 648->650 651 2585c8e-2585c9c 648->651 649->615 655 2585c8a-2585c8d 650->655 656 2585c85 650->656 657 2585d2c-2585d38 651->657 652->636 661 2585b93-2585ba1 653->661 659 2585b7a-2585b89 654->659 660 2585b75 654->660 655->651 656->655 664 2585d3a 657->664 665 2585d3f-2585d44 657->665 659->661 660->659 662 2585ac7-2585adc 661->662 663 2585ba7-2585bbc 661->663 668 2585ade 662->668 669 2585ae3-2585b41 662->669 663->649 664->665 666 2585d6b-2585d6d 665->666 667 2585d46-2585d53 665->667 672 2585d73-2585d87 666->672 670 2585d5a-2585d69 667->670 671 2585d55 667->671 668->669 687 2585b48-2585b4b 669->687 688 2585b43 669->688 670->672 671->670 673 2585d8d-2585df9 call 25843f8 * 2 672->673 674 2585ca1-2585cb9 672->674 685 2585dfb-2585dfd 673->685 686 2585e02-2585f58 673->686 676 2585cbb 674->676 677 2585cc0-2585d21 674->677 676->677 693 2585d28-2585d2b 677->693 694 2585d23 677->694 690 2585f59-2585f5a 685->690 686->690 687->640 688->687 690->598 693->657 694->693
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f2f43263402ba64497bbb3897bfb3952f7070636f0d170b8c4ee86b02179a122
                                                • Instruction ID: f349dd448a0f1732c59a587340450889c7a2b9976f90c26479198c9c35a29c80
                                                • Opcode Fuzzy Hash: f2f43263402ba64497bbb3897bfb3952f7070636f0d170b8c4ee86b02179a122
                                                • Instruction Fuzzy Hash: D162E074E04228CFDB24EF69C884BEDBBB2BB49304F5185A9D409AB355E7709E85CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 707 25883c9-25883f8 708 25883fa 707->708 709 25883ff-25884c2 call 25866f8 call 2586b88 707->709 708->709 718 25884c8-25884e0 709->718 719 25887e0-2588812 709->719 722 25884e2 718->722 723 25884e7-25884f0 718->723 722->723 724 25887d3-25887d9 723->724 725 25887df 724->725 726 25884f5-258856f KiUserExceptionDispatcher 724->726 725->719 730 258862b-2588686 726->730 731 2588575-25885e3 726->731 742 2588687-25886d5 call 25843f8 * 2 730->742 740 25885e5-2588625 731->740 741 2588626-2588629 731->741 740->741 741->742 749 25886db-25887bd 742->749 750 25887be-25887c9 742->750 749->750 751 25887cb 750->751 752 25887d0 750->752 751->752 752->724
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0258855B
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 5422289d0d72a579719494e7f66441974e0ae6c7b7684a6c0f3b8406750dfe23
                                                • Instruction ID: 904a923dc19c07f8bcfa850ad66a502c076d0f070c5ece1a5afddce0435cdcbe
                                                • Opcode Fuzzy Hash: 5422289d0d72a579719494e7f66441974e0ae6c7b7684a6c0f3b8406750dfe23
                                                • Instruction Fuzzy Hash: CDD1D374E04218CFDB24DFA5D994B9DBBB2FF88304F2084A9D809AB355DB359A85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 765 2586111-2586140 766 2586142 765->766 767 2586147-258620c KiUserExceptionDispatcher 765->767 766->767 773 258652a-258655c 767->773 774 2586212-258622a 767->774 777 258622c 774->777 778 2586231-258623a 774->778 777->778 779 258651d-2586523 778->779 780 2586529 779->780 781 258623f-25862b9 779->781 780->773 786 25862bf-258632d 781->786 787 2586375-25863d0 781->787 796 258632f-258636f 786->796 797 2586370-2586373 786->797 798 25863d1-258641f call 25843f8 * 2 787->798 796->797 797->798 805 2586508-2586513 798->805 806 2586425-2586507 798->806 808 258651a 805->808 809 2586515 805->809 806->805 808->779 809->808
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 025861EC
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: bbbf6071aa77524bfa059a80fdbc8166bcc0f2c2dd6e05a5467178106ca4f95c
                                                • Instruction ID: 6d68cb8b390c6cb3811c7e24deb175a4c3fb06d9e1d73d5c85b462517720db38
                                                • Opcode Fuzzy Hash: bbbf6071aa77524bfa059a80fdbc8166bcc0f2c2dd6e05a5467178106ca4f95c
                                                • Instruction Fuzzy Hash: 2FD1C274E04218CFDB14DFA5D994BADBBB2FF88304F1085AAD809AB355DB359A85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 921 258e758-258e766 922 258e768-258e769 921->922 923 258e76a-258e778 921->923 922->923 924 258e77a 923->924 925 258e77f-258e78b 923->925 926 258e8ab-258e8b5 924->926 928 258e78d 925->928 929 258e792-258e7a7 925->929 928->926 932 258e8bb-258e8fb call 2584268 929->932 933 258e7ad-258e7b8 929->933 949 258e902-258e98d call 2584268 call 2584160 932->949 936 258e7be-258e7c5 933->936 937 258e8b6 933->937 939 258e7f2-258e7fd 936->939 940 258e7c7-258e7de 936->940 937->932 944 258e80a-258e814 939->944 945 258e7ff-258e807 939->945 940->949 950 258e7e4-258e7e7 940->950 955 258e81a-258e824 944->955 956 258e89e-258e8a3 944->956 945->944 984 258e98f-258e993 949->984 985 258e995-258e99b 949->985 950->937 954 258e7ed-258e7f0 950->954 954->939 954->940 955->937 960 258e82a-258e846 955->960 956->926 966 258e848 960->966 967 258e84a-258e84d 960->967 966->926 969 258e84f-258e852 967->969 970 258e854-258e857 967->970 972 258e85a-258e868 969->972 970->972 972->937 977 258e86a-258e871 972->977 977->926 978 258e873-258e879 977->978 978->937 979 258e87b-258e880 978->979 979->937 981 258e882-258e895 979->981 981->937 986 258e897-258e89a 981->986 984->985 987 258e99d-258e9a1 984->987 988 258e9c2-258e9c3 985->988 986->978 989 258e89c 986->989 990 258e9a3-258e9aa 987->990 991 258e9c4-258e9de 987->991 989->926 992 258e9ac-258e9b1 990->992 993 258e9b3-258e9be 990->993 997 258e9e0-258e9e1 991->997 998 258e9e2-258ea00 991->998 992->993 994 258e9c0 992->994 993->988 994->988 997->998 999 258ea02 998->999 1000 258ea07-258eaac call 25866f8 call 2586b88 998->1000 999->1000 1007 258eab1-258eacb 1000->1007 1009 258ead1-258eae8 1007->1009 1010 258ede3-258ee15 1007->1010 1013 258eaea 1009->1013 1014 258eaef-258eaf8 1009->1014 1013->1014 1015 258edd6-258eddc 1014->1015 1016 258eafd-258eb73 1015->1016 1017 258ede2 1015->1017 1022 258eb79-258ebe7 1016->1022 1023 258ec2f-258ec89 1016->1023 1017->1010 1032 258ebe9-258ec29 1022->1032 1033 258ec2a-258ec2d 1022->1033 1034 258ec8a-258ecd8 call 25843f8 * 2 1023->1034 1032->1033 1033->1034 1041 258ecde-258edc0 1034->1041 1042 258edc1-258edcc 1034->1042 1041->1042 1043 258edce 1042->1043 1044 258edd3 1042->1044 1043->1044 1044->1015
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd7ad5a62b5d668c147abf94f28c2c3cd14b3333a31c2fd43fa0b6cefa4aa002
                                                • Instruction ID: 0964f22e5026fb574735206a572539c2898a0111f263002e9e5b3bb74b89f081
                                                • Opcode Fuzzy Hash: cd7ad5a62b5d668c147abf94f28c2c3cd14b3333a31c2fd43fa0b6cefa4aa002
                                                • Instruction Fuzzy Hash: 83127630E042188FDB14EFA4C9957ADBBB2BF89308F1084A9D509BB394DB759D46CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1159 2586b88-2586bb7 1160 2586bb9 1159->1160 1161 2586bbe-2586c54 call 2584208 1159->1161 1160->1161 1164 2586cf3-2586cf9 1161->1164 1165 2586c59-2586c6c 1164->1165 1166 2586cff-2586d17 1164->1166 1169 2586c6e 1165->1169 1170 2586c73-2586cc4 1165->1170 1167 2586d19-2586d26 1166->1167 1168 2586d2b-2586d3e 1166->1168 1171 25870c2-25871bf 1167->1171 1172 2586d40 1168->1172 1173 2586d45-2586d61 1168->1173 1169->1170 1187 2586cc6-2586cd4 1170->1187 1188 2586cd7-2586ce9 1170->1188 1178 25871c1-25871c6 call 2584208 1171->1178 1179 25871c7-25871d1 1171->1179 1172->1173 1176 2586d68-2586d8c 1173->1176 1177 2586d63 1173->1177 1183 2586d8e 1176->1183 1184 2586d93-2586dc5 1176->1184 1177->1176 1178->1179 1183->1184 1193 2586dcc-2586e0e 1184->1193 1194 2586dc7 1184->1194 1187->1166 1190 2586ceb 1188->1190 1191 2586cf0 1188->1191 1190->1191 1191->1164 1196 2586e10 1193->1196 1197 2586e15-2586e1e 1193->1197 1194->1193 1196->1197 1198 2587047-258704d 1197->1198 1199 2586e23-2586e48 1198->1199 1200 2587053-2587066 1198->1200 1201 2586e4a 1199->1201 1202 2586e4f-2586e86 1199->1202 1203 2587068 1200->1203 1204 258706d-2587088 1200->1204 1201->1202 1212 2586e88 1202->1212 1213 2586e8d-2586ebf 1202->1213 1203->1204 1205 258708a 1204->1205 1206 258708f-25870a3 1204->1206 1205->1206 1210 25870aa-25870ac 1206->1210 1211 25870a5 1206->1211 1214 25870b5-25870c0 1210->1214 1211->1210 1212->1213 1216 2586ec1-2586ee6 1213->1216 1217 2586f23-2586f36 1213->1217 1214->1171 1218 2586ee8 1216->1218 1219 2586eed-2586f1b 1216->1219 1220 2586f38 1217->1220 1221 2586f3d-2586f62 1217->1221 1218->1219 1219->1217 1220->1221 1224 2586f71-2586fa9 1221->1224 1225 2586f64-2586f65 1221->1225 1226 2586fab 1224->1226 1227 2586fb0-2587012 1224->1227 1225->1200 1226->1227 1232 2587019-258703d 1227->1232 1233 2587014 1227->1233 1236 258703f 1232->1236 1237 2587044 1232->1237 1233->1232 1236->1237 1237->1198
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d261901bce83c621bfb476a777a8f3f45baad04f9dc4ba5125b55e9a931a84de
                                                • Instruction ID: c10428aa23fed20cc5b52d672cd630a02eb5015dde8097d8ada0a3b6fe2acda2
                                                • Opcode Fuzzy Hash: d261901bce83c621bfb476a777a8f3f45baad04f9dc4ba5125b55e9a931a84de
                                                • Instruction Fuzzy Hash: AEF1E574E04218CFDB14EFA9C884B9DFBB2BF88304F1581A9E908AB355DB719985CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1238 2587196-2587197 1239 2587199 1238->1239 1240 25871e5-2587231 1238->1240 1239->1240 1241 258728b-258729d 1240->1241 1242 2587233-2587245 1240->1242 1244 258729f-2587323 call 25866f8 call 2586b88 1241->1244 1242->1244 1245 2587247-2587278 1242->1245 1254 2587328-2587342 1244->1254 1246 258727a 1245->1246 1247 258727f-2587289 1245->1247 1246->1247 1247->1241 1256 2587348-2587360 1254->1256 1257 2587660-2587692 1254->1257 1260 2587362 1256->1260 1261 2587367-2587370 1256->1261 1260->1261 1262 2587653-2587659 1261->1262 1263 258765f 1262->1263 1264 2587375-25873ef 1262->1264 1263->1257 1269 25874ab-2587506 1264->1269 1270 25873f5-2587463 1264->1270 1281 2587507-2587555 call 25843f8 * 2 1269->1281 1279 2587465-25874a5 1270->1279 1280 25874a6-25874a9 1270->1280 1279->1280 1280->1281 1288 258755b-258763d 1281->1288 1289 258763e-2587649 1281->1289 1288->1289 1290 258764b 1289->1290 1291 2587650 1289->1291 1290->1291 1291->1262
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e31d1c93eb26e6755c4356aa949acf0e3d6b7e0a7c9a33fbf1e3e88bf2354813
                                                • Instruction ID: d980f6c7ee762a1e146d446a93155cf2e5eccd5e15d4bedfedb1c7ea61e03f51
                                                • Opcode Fuzzy Hash: e31d1c93eb26e6755c4356aa949acf0e3d6b7e0a7c9a33fbf1e3e88bf2354813
                                                • Instruction Fuzzy Hash: 8EE12434E04258CFDB14DFA5D954BDDBBB2BF89314F2084AAC809AB355DB359A86CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1363 258fb30-258fb3e 1364 258fb40-258fb41 1363->1364 1365 258fb42-258fb60 1363->1365 1364->1365 1366 258fb62 1365->1366 1367 258fb67-258fc2a call 25866f8 call 2586b88 1365->1367 1366->1367 1376 258fc30-258fc47 1367->1376 1377 258ff42-258ff74 1367->1377 1380 258fc49 1376->1380 1381 258fc4e-258fc57 1376->1381 1380->1381 1382 258ff35-258ff3b 1381->1382 1383 258fc5c-258fcd2 1382->1383 1384 258ff41 1382->1384 1389 258fcd8-258fd46 1383->1389 1390 258fd8e-258fde8 1383->1390 1384->1377 1399 258fd48-258fd88 1389->1399 1400 258fd89-258fd8c 1389->1400 1401 258fde9-258fe37 call 25843f8 * 2 1390->1401 1399->1400 1400->1401 1408 258fe3d-258ff1f 1401->1408 1409 258ff20-258ff2b 1401->1409 1408->1409 1411 258ff2d 1409->1411 1412 258ff32 1409->1412 1411->1412 1412->1382
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7e52acc2d6d7f2d62638fc7155a560bb1cb020accb19ccb8a692030c9634ef6
                                                • Instruction ID: e30afd42209c95a3257153c756bbe412c407cb090d8c663ef56959552b6e40fe
                                                • Opcode Fuzzy Hash: e7e52acc2d6d7f2d62638fc7155a560bb1cb020accb19ccb8a692030c9634ef6
                                                • Instruction Fuzzy Hash: 04C1D074E04218CFDB14EFA5C994BADBBB2BF89304F2080A9D409AB354DB359A85CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1304 2587f68-2587f98 1305 2587f9a 1304->1305 1306 2587f9f-2588062 call 25866f8 call 2586b88 1304->1306 1305->1306 1315 2588068-2588080 1306->1315 1316 2588380-25883b2 1306->1316 1319 2588082 1315->1319 1320 2588087-2588090 1315->1320 1319->1320 1321 2588373-2588379 1320->1321 1322 258837f 1321->1322 1323 2588095-258810f 1321->1323 1322->1316 1328 25881cb-2588226 1323->1328 1329 2588115-2588183 1323->1329 1340 2588227-2588275 call 25843f8 * 2 1328->1340 1338 2588185-25881c5 1329->1338 1339 25881c6-25881c9 1329->1339 1338->1339 1339->1340 1347 258827b-258835d 1340->1347 1348 258835e-2588369 1340->1348 1347->1348 1350 258836b 1348->1350 1351 2588370 1348->1351 1350->1351 1351->1321
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa163a608f4bd275e581ff35172ff12b0fad0d68445f6feb0e0ac1a07c632b7b
                                                • Instruction ID: ccc9c72215320242b87c49bdf21052c0b2d26694a7f83db715bd640a8c529ca7
                                                • Opcode Fuzzy Hash: fa163a608f4bd275e581ff35172ff12b0fad0d68445f6feb0e0ac1a07c632b7b
                                                • Instruction Fuzzy Hash: 47D1C374E05218CFDB14DFA5D994BADBBB2FF88304F2085A9D809AB354DB359A85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1424 2587b08-2587b38 1425 2587b3a 1424->1425 1426 2587b3f-2587c02 call 25866f8 call 2586b88 1424->1426 1425->1426 1435 2587c08-2587c20 1426->1435 1436 2587f20-2587f52 1426->1436 1439 2587c22 1435->1439 1440 2587c27-2587c30 1435->1440 1439->1440 1441 2587f13-2587f19 1440->1441 1442 2587f1f 1441->1442 1443 2587c35-2587caf 1441->1443 1442->1436 1448 2587d6b-2587dc6 1443->1448 1449 2587cb5-2587d23 1443->1449 1460 2587dc7-2587e15 call 25843f8 * 2 1448->1460 1458 2587d25-2587d65 1449->1458 1459 2587d66-2587d69 1449->1459 1458->1459 1459->1460 1467 2587e1b-2587efd 1460->1467 1468 2587efe-2587f09 1460->1468 1467->1468 1470 2587f0b 1468->1470 1471 2587f10 1468->1471 1470->1471 1471->1441
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7bba1cca67d09c617bdd77520afd06f60dd7c003e44cab194070ab39bf4325f
                                                • Instruction ID: 8f364309d8bb09d95e0011c162416cc34f4ddfd532d2b0e07318dbec17e34a22
                                                • Opcode Fuzzy Hash: a7bba1cca67d09c617bdd77520afd06f60dd7c003e44cab194070ab39bf4325f
                                                • Instruction Fuzzy Hash: AFD1D374E04218CFDB24DFA5D994B9DBBB2FF88304F2085A9D809AB355DB359A85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1483 258f6d8-258f6e6 1484 258f6e8-258f6e9 1483->1484 1485 258f6ea-258f708 1483->1485 1484->1485 1486 258f70a 1485->1486 1487 258f70f-258f7d2 call 25866f8 call 2586b88 1485->1487 1486->1487 1496 258f7d8-258f7ef 1487->1496 1497 258faea-258fb1c 1487->1497 1500 258f7f1 1496->1500 1501 258f7f6-258f7ff 1496->1501 1500->1501 1502 258fadd-258fae3 1501->1502 1503 258fae9 1502->1503 1504 258f804-258f87a 1502->1504 1503->1497 1509 258f880-258f8ee 1504->1509 1510 258f936-258f990 1504->1510 1519 258f8f0-258f930 1509->1519 1520 258f931-258f934 1509->1520 1521 258f991-258f9df call 25843f8 * 2 1510->1521 1519->1520 1520->1521 1528 258fac8-258fad3 1521->1528 1529 258f9e5-258fac7 1521->1529 1530 258fada 1528->1530 1531 258fad5 1528->1531 1529->1528 1530->1502 1531->1530
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e50116e5b5f3832c7da044e1119f614145b70d4dd290409e726f5242294732ea
                                                • Instruction ID: f052c744facc3573a7e902e55ba339a83f3666ba0983b40b667cf9633d0efaec
                                                • Opcode Fuzzy Hash: e50116e5b5f3832c7da044e1119f614145b70d4dd290409e726f5242294732ea
                                                • Instruction Fuzzy Hash: A7C1C074E04218CFDB14EFA5C994BADBBB2BF89304F6081A9D409AB354DB359A85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1603 258f280-258f28e 1604 258f290-258f291 1603->1604 1605 258f292-258f2b0 1603->1605 1604->1605 1606 258f2b2 1605->1606 1607 258f2b7-258f37a call 25866f8 call 2586b88 1605->1607 1606->1607 1616 258f380-258f397 1607->1616 1617 258f692-258f6c4 1607->1617 1620 258f399 1616->1620 1621 258f39e-258f3a7 1616->1621 1620->1621 1622 258f685-258f68b 1621->1622 1623 258f3ac-258f422 1622->1623 1624 258f691 1622->1624 1629 258f428-258f496 1623->1629 1630 258f4de-258f538 1623->1630 1624->1617 1639 258f498-258f4d8 1629->1639 1640 258f4d9-258f4dc 1629->1640 1641 258f539-258f587 call 25843f8 * 2 1630->1641 1639->1640 1640->1641 1648 258f58d-258f66f 1641->1648 1649 258f670-258f67b 1641->1649 1648->1649 1651 258f67d 1649->1651 1652 258f682 1649->1652 1651->1652 1652->1622
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d938a7894030448b507056e6b7d7f77b133636538387a18c451f201cdae24aa
                                                • Instruction ID: 06e3fcbd28333dae59706553f4cdee3a872418a716b57b21e5114a409355909c
                                                • Opcode Fuzzy Hash: 7d938a7894030448b507056e6b7d7f77b133636538387a18c451f201cdae24aa
                                                • Instruction Fuzzy Hash: CFC1C174E04218CFDB24EFA5D954BADBBB2BF89304F5081A9D409AB354DB359E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1544 258ee28-258ee58 1545 258ee5a 1544->1545 1546 258ee5f-258ef22 call 25866f8 call 2586b88 1544->1546 1545->1546 1555 258ef28-258ef3f 1546->1555 1556 258f23a-258f26c 1546->1556 1559 258ef41 1555->1559 1560 258ef46-258ef4f 1555->1560 1559->1560 1561 258f22d-258f233 1560->1561 1562 258f239 1561->1562 1563 258ef54-258efca 1561->1563 1562->1556 1568 258efd0-258f03e 1563->1568 1569 258f086-258f0e0 1563->1569 1578 258f040-258f080 1568->1578 1579 258f081-258f084 1568->1579 1580 258f0e1-258f12f call 25843f8 * 2 1569->1580 1578->1579 1579->1580 1587 258f218-258f223 1580->1587 1588 258f135-258f217 1580->1588 1589 258f22a 1587->1589 1590 258f225 1587->1590 1588->1587 1589->1561 1590->1589
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ef550df7f405899e15262d4aa2cd22bfb64042014cc9f3061fa5d0fd1fd9757
                                                • Instruction ID: bb4c2bf1681533adb53d2887e0eaaf13ec91027f7d0a275ac01abf3f3822cd0f
                                                • Opcode Fuzzy Hash: 4ef550df7f405899e15262d4aa2cd22bfb64042014cc9f3061fa5d0fd1fd9757
                                                • Instruction Fuzzy Hash: A5C1D174E04218CFDB24DFA5D994BADBBB2FF89304F2081A9D409AB354DB359A85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1664 25876a8-25876d8 1666 25876da 1664->1666 1667 25876df-25877a2 call 25866f8 call 2586b88 1664->1667 1666->1667 1676 25877a8-25877c0 1667->1676 1677 2587ac0-2587af2 1667->1677 1680 25877c2 1676->1680 1681 25877c7-25877d0 1676->1681 1680->1681 1682 2587ab3-2587ab9 1681->1682 1683 2587abf 1682->1683 1684 25877d5-258784f 1682->1684 1683->1677 1689 258790b-2587966 1684->1689 1690 2587855-25878c3 1684->1690 1701 2587967-25879b5 call 25843f8 * 2 1689->1701 1699 25878c5-2587905 1690->1699 1700 2587906-2587909 1690->1700 1699->1700 1700->1701 1708 25879bb-2587a9d 1701->1708 1709 2587a9e-2587aa9 1701->1709 1708->1709 1711 2587aab 1709->1711 1712 2587ab0 1709->1712 1711->1712 1712->1682
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5ba0ce1b77ca1571f130f26bc59c387cc8b481c43998c1c076914500e8daa0e
                                                • Instruction ID: 2543c33ced5e17ede581c36898c5ad1a0fc20172578e5501a263d492e0d26e91
                                                • Opcode Fuzzy Hash: d5ba0ce1b77ca1571f130f26bc59c387cc8b481c43998c1c076914500e8daa0e
                                                • Instruction Fuzzy Hash: 96D1D374E04218CFDB14DFA5C994B9DBBB2FF88304F2085A9D809AB355DB359A85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5a728246e768cd867741447cb7ee415005d9c10bedd303205abe525722118a72
                                                • Instruction ID: 6a2b17a4c6222c20778b4e2b353c624036862f221d0e3b41fd3ef9dc1abb1666
                                                • Opcode Fuzzy Hash: 5a728246e768cd867741447cb7ee415005d9c10bedd303205abe525722118a72
                                                • Instruction Fuzzy Hash: B6A1E370D00208CFDB24EFA9C944BDDBBB1BF89314F218269E509BB291DB719989CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 510023da16b43be6e1e22fd8d8581fd46073858ea08e631c4a7bfc51b893aede
                                                • Instruction ID: f90fc82011cb40128fe08dceeb6eac5ab38c2bfc9859b7beb2d0ebf907498af7
                                                • Opcode Fuzzy Hash: 510023da16b43be6e1e22fd8d8581fd46073858ea08e631c4a7bfc51b893aede
                                                • Instruction Fuzzy Hash: 90A1F370D00208CFDB24EFA9C944B9DBBB1BF89318F218269E509BB291DB719985CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 55ac4fb81e2cf79e8392dc8128fcca172fdd7c9986b15946ee890a3352df08e5
                                                • Instruction ID: 5b90be2b4f2785d5e9a68f09eb9250c9c6099a671eca6ec5b2579d2c0d36975b
                                                • Opcode Fuzzy Hash: 55ac4fb81e2cf79e8392dc8128fcca172fdd7c9986b15946ee890a3352df08e5
                                                • Instruction Fuzzy Hash: 7E91F170E00208CFDB14EFA8C884B9DBBB5BF49314F219669E509BB291DBB19985CF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 02583506
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 86d24ad75c1ca2430700952d4ced5a3103924c8b1d0ded74d9fc5e7bc49cbea0
                                                • Instruction ID: c952ed8d6608f15e495e3b4d02b8eb504af8c963330732f0f603d105236addac
                                                • Opcode Fuzzy Hash: 86d24ad75c1ca2430700952d4ced5a3103924c8b1d0ded74d9fc5e7bc49cbea0
                                                • Instruction Fuzzy Hash: 5E51E1758A2743DFC7252B62BABD16EBBB1FB4F313752BC16E14AA11148B34006DCA94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522562263.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_ecd000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c7ea3805aed280b79b4dc23a0beead272a08589a0b00c0bfa5c0592f6ef0836
                                                • Instruction ID: 7e5cee7d19072d4273e4e6af3afa19fe8cbbe9792bbad756f4047142ce079c71
                                                • Opcode Fuzzy Hash: 3c7ea3805aed280b79b4dc23a0beead272a08589a0b00c0bfa5c0592f6ef0836
                                                • Instruction Fuzzy Hash: A121F1B1508244DFDB01DF10DAC0F66BF65FB88328F2485BDE9056A24AC337D856CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522604906.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_edd000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb983f4a9fc2a950e413d8606c23028d756a9ed495099c3364c27bff4ac23ca5
                                                • Instruction ID: 7d0bad68b075edea44cd1d4111f296c04853ebfe59e474a21832e56c10ae8953
                                                • Opcode Fuzzy Hash: fb983f4a9fc2a950e413d8606c23028d756a9ed495099c3364c27bff4ac23ca5
                                                • Instruction Fuzzy Hash: AC21F2B550C244DFCB14DF24D9C4B26BB66FB88318F24C9AAD9095B386C336D847CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522604906.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_edd000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: baec5cc396f48a0db3361ed7e4bbb6275717fb63d36f755ad50949b9003e126a
                                                • Instruction ID: 3da1ce1d2f2de6fd23a68253c9a87e366991d7bee2585d0ea45e069649680ccd
                                                • Opcode Fuzzy Hash: baec5cc396f48a0db3361ed7e4bbb6275717fb63d36f755ad50949b9003e126a
                                                • Instruction Fuzzy Hash: B4216D755093808FCB12CF24D994715BF71EB86214F28C5EBD8498B697C33A984BCB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522562263.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_ecd000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 249e2a8715e8c168eb2f5c56b923afe4400075be2633ad0d149fe07b0bffcafe
                                                • Instruction ID: 95a3cf4e0b7a2fc37cccb03613a2ce4ffff875f727b1b8fde71339ce124a5db4
                                                • Opcode Fuzzy Hash: 249e2a8715e8c168eb2f5c56b923afe4400075be2633ad0d149fe07b0bffcafe
                                                • Instruction Fuzzy Hash: 4711AF76508280CFCB11CF10DAC4B56BF71FB88328F2486ADD8091B656C337D85ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.522752631.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_2580000_FNK08uYGy6.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70105ce2ca83d9d3c6822dc4f894ed0e25253a390b488910b4643b45b633175c
                                                • Instruction ID: 8eff5296c29d85953be0d701345340e2ea7b39a13c69fd108c34de262d68f951
                                                • Opcode Fuzzy Hash: 70105ce2ca83d9d3c6822dc4f894ed0e25253a390b488910b4643b45b633175c
                                                • Instruction Fuzzy Hash: F952CC74E042288FDB24DF65C984BEDBBB2BB89304F1185EAD509AB354DB319E85CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%