Edit tour

Windows Analysis Report
t40mINaB76.exe

Overview

General Information

Sample Name:	t40mINaB76.exe
Analysis ID:	652384
MD5:	245ec1208ca48e276c460411f78c1709
SHA1:	d11e01fe9082690cfedbdd60dcb720dc3cc31b50
SHA256:	4f226448711ce98504aa05d3ebdec11f518aa583f58d21b44869912b039a5bb7
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AntiVM3

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

t40mINaB76.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\t40mINaB76.exe" MD5: 245EC1208CA48E276C460411F78C1709)

t40mINaB76.exe (PID: 6256 cmdline: C:\Users\user\Desktop\t40mINaB76.exe MD5: 245EC1208CA48E276C460411F78C1709)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "arinzelog@valete.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "arinze@valete.buzz"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17430:$x1: $%SMTPDV$ 0x17446:$x2: $#TheHashHere%& 0x187d8:$x3: %FTPDV$ 0x188a0:$x4: $%TelegramDv$ 0x14d6d:$x5: KeyLoggerEventArgs 0x15103:$x5: KeyLoggerEventArgs 0x18848:$m1: \| Snake Keylogger 0x18900:$m1: \| Snake Keylogger 0x18a54:$m1: \| Snake Keylogger 0x18b7a:$m1: \| Snake Keylogger 0x18cd4:$m1: \| Snake Keylogger 0x187fc:$m2: Clipboard Logs ID 0x18a0a:$m2: Screenshot Logs ID 0x18b1e:$m2: keystroke Logs ID 0x18d0a:$m3: SnakePW 0x189e2:$m4: \SnakeKeylogger\
00000000.00000002.384331004.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17430:$x1: $%SMTPDV$ 0x17446:$x2: $#TheHashHere%& 0x187d8:$x3: %FTPDV$ 0x188a0:$x4: $%TelegramDv$ 0x14d6d:$x5: KeyLoggerEventArgs 0x15103:$x5: KeyLoggerEventArgs 0x18848:$m1: \| Snake Keylogger 0x18900:$m1: \| Snake Keylogger 0x18a54:$m1: \| Snake Keylogger 0x18b7a:$m1: \| Snake Keylogger 0x18cd4:$m1: \| Snake Keylogger 0x187fc:$m2: Clipboard Logs ID 0x18a0a:$m2: Screenshot Logs ID 0x18b1e:$m2: keystroke Logs ID 0x18d0a:$m3: SnakePW 0x189e2:$m4: \SnakeKeylogger\
00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17430:$x1: $%SMTPDV$ 0x17446:$x2: $#TheHashHere%& 0x187d8:$x3: %FTPDV$ 0x188a0:$x4: $%TelegramDv$ 0x14d6d:$x5: KeyLoggerEventArgs 0x15103:$x5: KeyLoggerEventArgs 0x18848:$m1: \| Snake Keylogger 0x18900:$m1: \| Snake Keylogger 0x18a54:$m1: \| Snake Keylogger 0x18b7a:$m1: \| Snake Keylogger 0x18cd4:$m1: \| Snake Keylogger 0x187fc:$m2: Clipboard Logs ID 0x18a0a:$m2: Screenshot Logs ID 0x18b1e:$m2: keystroke Logs ID 0x18d0a:$m3: SnakePW 0x189e2:$m4: \SnakeKeylogger\
00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17430:$x1: $%SMTPDV$ 0x17446:$x2: $#TheHashHere%& 0x187d8:$x3: %FTPDV$ 0x188a0:$x4: $%TelegramDv$ 0x14d6d:$x5: KeyLoggerEventArgs 0x15103:$x5: KeyLoggerEventArgs 0x18848:$m1: \| Snake Keylogger 0x18900:$m1: \| Snake Keylogger 0x18a54:$m1: \| Snake Keylogger 0x18b7a:$m1: \| Snake Keylogger 0x18cd4:$m1: \| Snake Keylogger 0x187fc:$m2: Clipboard Logs ID 0x18a0a:$m2: Screenshot Logs ID 0x18b1e:$m2: keystroke Logs ID 0x18d0a:$m3: SnakePW 0x189e2:$m4: \SnakeKeylogger\
00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17430:$x1: $%SMTPDV$ 0x17446:$x2: $#TheHashHere%& 0x187d8:$x3: %FTPDV$ 0x188a0:$x4: $%TelegramDv$ 0x14d6d:$x5: KeyLoggerEventArgs 0x15103:$x5: KeyLoggerEventArgs 0x18848:$m1: \| Snake Keylogger 0x18900:$m1: \| Snake Keylogger 0x18a54:$m1: \| Snake Keylogger 0x18b7a:$m1: \| Snake Keylogger 0x18cd4:$m1: \| Snake Keylogger 0x187fc:$m2: Clipboard Logs ID 0x18a0a:$m2: Screenshot Logs ID 0x18b1e:$m2: keystroke Logs ID 0x18d0a:$m3: SnakePW 0x189e2:$m4: \SnakeKeylogger\
00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7c500:$x1: $%SMTPDV$ 0x1377c0:$x1: $%SMTPDV$ 0x1571e0:$x1: $%SMTPDV$ 0x7c516:$x2: $#TheHashHere%& 0x1377d6:$x2: $#TheHashHere%& 0x1571f6:$x2: $#TheHashHere%& 0x7d8a8:$x3: %FTPDV$ 0x138b68:$x3: %FTPDV$ 0x158588:$x3: %FTPDV$ 0x7d970:$x4: $%TelegramDv$ 0x138c30:$x4: $%TelegramDv$ 0x158650:$x4: $%TelegramDv$ 0x79e3d:$x5: KeyLoggerEventArgs 0x7a1d3:$x5: KeyLoggerEventArgs 0x1350fd:$x5: KeyLoggerEventArgs 0x135493:$x5: KeyLoggerEventArgs 0x154b1d:$x5: KeyLoggerEventArgs 0x154eb3:$x5: KeyLoggerEventArgs 0x7d918:$m1: \| Snake Keylogger 0x7d9d0:$m1: \| Snake Keylogger 0x7db24:$m1: \| Snake Keylogger
Process Memory Space: t40mINaB76.exe PID: 6564	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: t40mINaB76.exe PID: 6564	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: t40mINaB76.exe PID: 6564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: t40mINaB76.exe PID: 6564	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x8cf3e:$x5: KeyLoggerEventArgs 0x8d2d4:$x5: KeyLoggerEventArgs 0x8d8ac:$x5: KeyLoggerEventArgs 0x8dc0d:$x5: KeyLoggerEventArgs 0x8f45f:$m1: \| Snake Keylogger 0x8f4b7:$m1: \| Snake Keylogger 0x8f54b:$m1: \| Snake Keylogger 0x8f5ac:$m1: \| Snake Keylogger 0x8f621:$m1: \| Snake Keylogger 0x8f438:$m2: Clipboard Logs ID 0x8f526:$m2: Screenshot Logs ID 0x8f57e:$m2: keystroke Logs ID 0x8f63c:$m3: SnakePW 0x8f512:$m4: \SnakeKeylogger\
Process Memory Space: t40mINaB76.exe PID: 6256	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: t40mINaB76.exe PID: 6256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: t40mINaB76.exe PID: 6256	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6906:$x5: KeyLoggerEventArgs 0x6c9c:$x5: KeyLoggerEventArgs 0x7274:$x5: KeyLoggerEventArgs 0x75d5:$x5: KeyLoggerEventArgs 0x8e27:$m1: \| Snake Keylogger 0x8e7f:$m1: \| Snake Keylogger 0x8f13:$m1: \| Snake Keylogger 0x8f74:$m1: \| Snake Keylogger 0x8fe9:$m1: \| Snake Keylogger 0x8e00:$m2: Clipboard Logs ID 0x8eee:$m2: Screenshot Logs ID 0x8f46:$m2: keystroke Logs ID 0x9004:$m3: SnakePW 0x8eda:$m4: \SnakeKeylogger\
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.t40mINaB76.exe.400000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b36e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a557:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a99e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb1f:$a5: \Kometa\User Data\Default\Login Data
3.0.t40mINaB76.exe.400000.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.0.t40mINaB76.exe.400000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.t40mINaB76.exe.400000.6.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.t40mINaB76.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.t40mINaB76.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148fa:$s1: UnHook 0x14901:$s2: SetHook 0x14909:$s3: CallNextHook 0x14916:$s4: _hook
3.0.t40mINaB76.exe.400000.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17630:$x1: $%SMTPDV$ 0x17646:$x2: $#TheHashHere%& 0x189d8:$x3: %FTPDV$ 0x18aa0:$x4: $%TelegramDv$ 0x14f6d:$x5: KeyLoggerEventArgs 0x15303:$x5: KeyLoggerEventArgs 0x18a48:$m1: \| Snake Keylogger 0x18b00:$m1: \| Snake Keylogger 0x18c54:$m1: \| Snake Keylogger 0x18d7a:$m1: \| Snake Keylogger 0x18ed4:$m1: \| Snake Keylogger 0x189fc:$m2: Clipboard Logs ID 0x18c0a:$m2: Screenshot Logs ID 0x18d1e:$m2: keystroke Logs ID 0x18f0a:$m3: SnakePW 0x18be2:$m4: \SnakeKeylogger\
3.0.t40mINaB76.exe.400000.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b36e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a557:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a99e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb1f:$a5: \Kometa\User Data\Default\Login Data
3.0.t40mINaB76.exe.400000.10.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.0.t40mINaB76.exe.400000.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.t40mINaB76.exe.400000.10.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.t40mINaB76.exe.400000.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.t40mINaB76.exe.400000.10.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148fa:$s1: UnHook 0x14901:$s2: SetHook 0x14909:$s3: CallNextHook 0x14916:$s4: _hook
3.0.t40mINaB76.exe.400000.10.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17630:$x1: $%SMTPDV$ 0x17646:$x2: $#TheHashHere%& 0x189d8:$x3: %FTPDV$ 0x18aa0:$x4: $%TelegramDv$ 0x14f6d:$x5: KeyLoggerEventArgs 0x15303:$x5: KeyLoggerEventArgs 0x18a48:$m1: \| Snake Keylogger 0x18b00:$m1: \| Snake Keylogger 0x18c54:$m1: \| Snake Keylogger 0x18d7a:$m1: \| Snake Keylogger 0x18ed4:$m1: \| Snake Keylogger 0x189fc:$m2: Clipboard Logs ID 0x18c0a:$m2: Screenshot Logs ID 0x18d1e:$m2: keystroke Logs ID 0x18f0a:$m3: SnakePW 0x18be2:$m4: \SnakeKeylogger\
0.2.t40mINaB76.exe.3c7aed0.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1956e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18757:$a3: \Google\Chrome\User Data\Default\Login Data 0x18b9e:$a4: \Orbitum\User Data\Default\Login Data 0x19d1f:$a5: \Kometa\User Data\Default\Login Data
0.2.t40mINaB76.exe.3c7aed0.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.t40mINaB76.exe.3c7aed0.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.t40mINaB76.exe.3c7aed0.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.t40mINaB76.exe.3c7aed0.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12afa:$s1: UnHook 0x12b01:$s2: SetHook 0x12b09:$s3: CallNextHook 0x12b16:$s4: _hook
0.2.t40mINaB76.exe.3c7aed0.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15830:$x1: $%SMTPDV$ 0x15846:$x2: $#TheHashHere%& 0x16bd8:$x3: %FTPDV$ 0x16ca0:$x4: $%TelegramDv$ 0x1316d:$x5: KeyLoggerEventArgs 0x13503:$x5: KeyLoggerEventArgs 0x16c48:$m1: \| Snake Keylogger 0x16d00:$m1: \| Snake Keylogger 0x16e54:$m1: \| Snake Keylogger 0x16f7a:$m1: \| Snake Keylogger 0x170d4:$m1: \| Snake Keylogger 0x16bfc:$m2: Clipboard Logs ID 0x16e0a:$m2: Screenshot Logs ID 0x16f1e:$m2: keystroke Logs ID 0x1710a:$m3: SnakePW 0x16de2:$m4: \SnakeKeylogger\
3.0.t40mINaB76.exe.400000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b36e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a557:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a99e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb1f:$a5: \Kometa\User Data\Default\Login Data
3.0.t40mINaB76.exe.400000.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.0.t40mINaB76.exe.400000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.t40mINaB76.exe.400000.8.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.t40mINaB76.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.t40mINaB76.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148fa:$s1: UnHook 0x14901:$s2: SetHook 0x14909:$s3: CallNextHook 0x14916:$s4: _hook
3.0.t40mINaB76.exe.400000.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17630:$x1: $%SMTPDV$ 0x17646:$x2: $#TheHashHere%& 0x189d8:$x3: %FTPDV$ 0x18aa0:$x4: $%TelegramDv$ 0x14f6d:$x5: KeyLoggerEventArgs 0x15303:$x5: KeyLoggerEventArgs 0x18a48:$m1: \| Snake Keylogger 0x18b00:$m1: \| Snake Keylogger 0x18c54:$m1: \| Snake Keylogger 0x18d7a:$m1: \| Snake Keylogger 0x18ed4:$m1: \| Snake Keylogger 0x189fc:$m2: Clipboard Logs ID 0x18c0a:$m2: Screenshot Logs ID 0x18d1e:$m2: keystroke Logs ID 0x18f0a:$m3: SnakePW 0x18be2:$m4: \SnakeKeylogger\
3.0.t40mINaB76.exe.400000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b36e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a557:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a99e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb1f:$a5: \Kometa\User Data\Default\Login Data
3.0.t40mINaB76.exe.400000.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.0.t40mINaB76.exe.400000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.t40mINaB76.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.t40mINaB76.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.t40mINaB76.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148fa:$s1: UnHook 0x14901:$s2: SetHook 0x14909:$s3: CallNextHook 0x14916:$s4: _hook
3.0.t40mINaB76.exe.400000.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17630:$x1: $%SMTPDV$ 0x17646:$x2: $#TheHashHere%& 0x189d8:$x3: %FTPDV$ 0x18aa0:$x4: $%TelegramDv$ 0x14f6d:$x5: KeyLoggerEventArgs 0x15303:$x5: KeyLoggerEventArgs 0x18a48:$m1: \| Snake Keylogger 0x18b00:$m1: \| Snake Keylogger 0x18c54:$m1: \| Snake Keylogger 0x18d7a:$m1: \| Snake Keylogger 0x18ed4:$m1: \| Snake Keylogger 0x189fc:$m2: Clipboard Logs ID 0x18c0a:$m2: Screenshot Logs ID 0x18d1e:$m2: keystroke Logs ID 0x18f0a:$m3: SnakePW 0x18be2:$m4: \SnakeKeylogger\
3.0.t40mINaB76.exe.400000.12.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b36e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a557:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a99e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb1f:$a5: \Kometa\User Data\Default\Login Data
3.0.t40mINaB76.exe.400000.12.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.0.t40mINaB76.exe.400000.12.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.t40mINaB76.exe.400000.12.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.t40mINaB76.exe.400000.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.t40mINaB76.exe.400000.12.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148fa:$s1: UnHook 0x14901:$s2: SetHook 0x14909:$s3: CallNextHook 0x14916:$s4: _hook
3.0.t40mINaB76.exe.400000.12.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17630:$x1: $%SMTPDV$ 0x17646:$x2: $#TheHashHere%& 0x189d8:$x3: %FTPDV$ 0x18aa0:$x4: $%TelegramDv$ 0x14f6d:$x5: KeyLoggerEventArgs 0x15303:$x5: KeyLoggerEventArgs 0x18a48:$m1: \| Snake Keylogger 0x18b00:$m1: \| Snake Keylogger 0x18c54:$m1: \| Snake Keylogger 0x18d7a:$m1: \| Snake Keylogger 0x18ed4:$m1: \| Snake Keylogger 0x189fc:$m2: Clipboard Logs ID 0x18c0a:$m2: Screenshot Logs ID 0x18d1e:$m2: keystroke Logs ID 0x18f0a:$m3: SnakePW 0x18be2:$m4: \SnakeKeylogger\
3.2.t40mINaB76.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b36e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a557:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a99e:$a4: \Orbitum\User Data\Default\Login Data 0x1bb1f:$a5: \Kometa\User Data\Default\Login Data
3.2.t40mINaB76.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.t40mINaB76.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.t40mINaB76.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.t40mINaB76.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.t40mINaB76.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148fa:$s1: UnHook 0x14901:$s2: SetHook 0x14909:$s3: CallNextHook 0x14916:$s4: _hook
3.2.t40mINaB76.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17630:$x1: $%SMTPDV$ 0x17646:$x2: $#TheHashHere%& 0x189d8:$x3: %FTPDV$ 0x18aa0:$x4: $%TelegramDv$ 0x14f6d:$x5: KeyLoggerEventArgs 0x15303:$x5: KeyLoggerEventArgs 0x18a48:$m1: \| Snake Keylogger 0x18b00:$m1: \| Snake Keylogger 0x18c54:$m1: \| Snake Keylogger 0x18d7a:$m1: \| Snake Keylogger 0x18ed4:$m1: \| Snake Keylogger 0x189fc:$m2: Clipboard Logs ID 0x18c0a:$m2: Screenshot Logs ID 0x18d1e:$m2: keystroke Logs ID 0x18f0a:$m3: SnakePW 0x18be2:$m4: \SnakeKeylogger\
0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x148fa:$s1: UnHook 0xcfbba:$s1: UnHook 0xef5da:$s1: UnHook 0x14901:$s2: SetHook 0xcfbc1:$s2: SetHook 0xef5e1:$s2: SetHook 0x14909:$s3: CallNextHook 0xcfbc9:$s3: CallNextHook 0xef5e9:$s3: CallNextHook 0x14916:$s4: _hook 0xcfbd6:$s4: _hook 0xef5f6:$s4: _hook
0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17630:$x1: $%SMTPDV$ 0xd28f0:$x1: $%SMTPDV$ 0xf2310:$x1: $%SMTPDV$ 0x17646:$x2: $#TheHashHere%& 0xd2906:$x2: $#TheHashHere%& 0xf2326:$x2: $#TheHashHere%& 0x189d8:$x3: %FTPDV$ 0xd3c98:$x3: %FTPDV$ 0xf36b8:$x3: %FTPDV$ 0x18aa0:$x4: $%TelegramDv$ 0xd3d60:$x4: $%TelegramDv$ 0xf3780:$x4: $%TelegramDv$ 0x14f6d:$x5: KeyLoggerEventArgs 0x15303:$x5: KeyLoggerEventArgs 0xd022d:$x5: KeyLoggerEventArgs 0xd05c3:$x5: KeyLoggerEventArgs 0xefc4d:$x5: KeyLoggerEventArgs 0xeffe3:$x5: KeyLoggerEventArgs 0x18a48:$m1: \| Snake Keylogger 0x18b00:$m1: \| Snake Keylogger 0x18c54:$m1: \| Snake Keylogger
0.2.t40mINaB76.exe.3c9d170.9.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0xb438e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xd3dae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xb3577:$a3: \Google\Chrome\User Data\Default\Login Data 0xd2f97:$a3: \Google\Chrome\User Data\Default\Login Data 0xb39be:$a4: \Orbitum\User Data\Default\Login Data 0xd33de:$a4: \Orbitum\User Data\Default\Login Data 0xb4b3f:$a5: \Kometa\User Data\Default\Login Data 0xd455f:$a5: \Kometa\User Data\Default\Login Data
0.2.t40mINaB76.exe.3c9d170.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.t40mINaB76.exe.3c9d170.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.t40mINaB76.exe.3c9d170.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.t40mINaB76.exe.3c9d170.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.t40mINaB76.exe.3c9d170.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xad91a:$s1: UnHook 0xcd33a:$s1: UnHook 0xad921:$s2: SetHook 0xcd341:$s2: SetHook 0xad929:$s3: CallNextHook 0xcd349:$s3: CallNextHook 0xad936:$s4: _hook 0xcd356:$s4: _hook
0.2.t40mINaB76.exe.3c9d170.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xb0650:$x1: $%SMTPDV$ 0xd0070:$x1: $%SMTPDV$ 0xb0666:$x2: $#TheHashHere%& 0xd0086:$x2: $#TheHashHere%& 0xb19f8:$x3: %FTPDV$ 0xd1418:$x3: %FTPDV$ 0xb1ac0:$x4: $%TelegramDv$ 0xd14e0:$x4: $%TelegramDv$ 0xadf8d:$x5: KeyLoggerEventArgs 0xae323:$x5: KeyLoggerEventArgs 0xcd9ad:$x5: KeyLoggerEventArgs 0xcdd43:$x5: KeyLoggerEventArgs 0xb1a68:$m1: \| Snake Keylogger 0xb1b20:$m1: \| Snake Keylogger 0xb1c74:$m1: \| Snake Keylogger 0xb1d9a:$m1: \| Snake Keylogger 0xb1ef4:$m1: \| Snake Keylogger 0xd1488:$m1: \| Snake Keylogger 0xd1540:$m1: \| Snake Keylogger 0xd1694:$m1: \| Snake Keylogger 0xd17ba:$m1: \| Snake Keylogger
0.2.t40mINaB76.exe.3c162b0.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.t40mINaB76.exe.3c162b0.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.t40mINaB76.exe.3c162b0.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.t40mINaB76.exe.3c162b0.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.t40mINaB76.exe.3c162b0.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x7951a:$s1: UnHook 0x1347da:$s1: UnHook 0x1541fa:$s1: UnHook 0x79521:$s2: SetHook 0x1347e1:$s2: SetHook 0x154201:$s2: SetHook 0x79529:$s3: CallNextHook 0x1347e9:$s3: CallNextHook 0x154209:$s3: CallNextHook 0x79536:$s4: _hook 0x1347f6:$s4: _hook 0x154216:$s4: _hook
0.2.t40mINaB76.exe.3c162b0.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7c250:$x1: $%SMTPDV$ 0x137510:$x1: $%SMTPDV$ 0x156f30:$x1: $%SMTPDV$ 0x7c266:$x2: $#TheHashHere%& 0x137526:$x2: $#TheHashHere%& 0x156f46:$x2: $#TheHashHere%& 0x7d5f8:$x3: %FTPDV$ 0x1388b8:$x3: %FTPDV$ 0x1582d8:$x3: %FTPDV$ 0x7d6c0:$x4: $%TelegramDv$ 0x138980:$x4: $%TelegramDv$ 0x1583a0:$x4: $%TelegramDv$ 0x79b8d:$x5: KeyLoggerEventArgs 0x79f23:$x5: KeyLoggerEventArgs 0x134e4d:$x5: KeyLoggerEventArgs 0x1351e3:$x5: KeyLoggerEventArgs 0x15486d:$x5: KeyLoggerEventArgs 0x154c03:$x5: KeyLoggerEventArgs 0x7d668:$m1: \| Snake Keylogger 0x7d720:$m1: \| Snake Keylogger 0x7d874:$m1: \| Snake Keylogger
Click to see the 62 entries

Snort Signatures

ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.2.7 - Destination IP: 132.226.8.169

Timestamp:	192.168.2.7132.226.8.16949776802842536 06/26/22-09:32:46.921589
SID:	2842536
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: t40mINaB76.exe	Virustotal: Detection: 35%			Perma Link
Source: t40mINaB76.exe	ReversingLabs: Detection: 53%

Machine Learning detection for sample

Source: t40mINaB76.exe

Joe Sandbox ML: detected

Source: 3.0.t40mINaB76.exe.400000.6.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 3.0.t40mINaB76.exe.400000.10.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 3.0.t40mINaB76.exe.400000.4.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 3.0.t40mINaB76.exe.400000.8.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 3.0.t40mINaB76.exe.400000.12.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 3.2.t40mINaB76.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen

Source: 3.0.t40mINaB76.exe.400000.6.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "arinzelog@valete.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "arinze@valete.buzz"}

Source: t40mINaB76.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: t40mINaB76.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B4F539h	3_2_02B4F280
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B47507h	3_2_02B47200
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B48687h	3_2_02B483C9
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B4FDE9h	3_2_02B4FB30
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B47DC7h	3_2_02B47B08
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B463D1h	3_2_02B46111
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B47967h	3_2_02B476A8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B46B10h	3_2_02B466F8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B4F991h	3_2_02B4F6D8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B4F0E1h	3_2_02B4EE28
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B48227h	3_2_02B47F68
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B4EC8Ah	3_2_02B4E758
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B45F70h	3_2_02B45587
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_02B452BC
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_02B44AA8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B46B10h	3_2_02B46A3E
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_02B450DB
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 02B46B10h	3_2_02B466E8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 063762E1h	3_2_06376038
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 0637FAE1h	3_2_0637F838
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 063748D1h	3_2_06374628
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 0637E0A9h	3_2_0637DE00
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06373319h	3_2_06373070
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06377CF1h	3_2_06377A48
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06378149h	3_2_06377EA0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06376739h	3_2_06376490
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06374D29h	3_2_06374A80
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 0637E529h	3_2_0637E280
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 063785A1h	3_2_063782F8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06376B91h	3_2_063768E8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06375181h	3_2_06374ED8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 0637E981h	3_2_0637E6D8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06373771h	3_2_063734C8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 063755D9h	3_2_06375330
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 0637EDD9h	3_2_0637EB30
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06373BC9h	3_2_06373920
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06374021h	3_2_06373D78
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 063789F9h	3_2_06378750
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06376FE9h	3_2_06376D40
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06377441h	3_2_06377198
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06375A31h	3_2_06375788
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 0637F231h	3_2_0637EF88
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06377899h	3_2_063775F0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06375E89h	3_2_06375BE0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 0637F689h	3_2_0637F3E0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then jmp 06374479h	3_2_063741D0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_0637C020
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_0637C00F
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_0637C336

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.7:49776 -> 132.226.8.169:80

May check the online IP address of the machine

Source: C:\Users\user\Desktop\t40mINaB76.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\t40mINaB76.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\t40mINaB76.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\t40mINaB76.exe	DNS query: name: checkip.dyndns.org

Yara detected Generic Downloader

Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

ASN Name: UTMEMUS UTMEMUS

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: t40mINaB76.exe, 00000003.00000002.618270110.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: t40mINaB76.exe, 00000003.00000002.618270110.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000003.00000002.618229556.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: t40mINaB76.exe, 00000003.00000002.618024955.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: t40mINaB76.exe, 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: t40mINaB76.exe, 00000003.00000002.618229556.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org4fk0
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: t40mINaB76.exe, 00000003.00000002.618024955.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: t40mINaB76.exe, 00000000.00000003.354043115.00000000056FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: t40mINaB76.exe, 00000000.00000003.352500439.00000000056F3000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.353409000.00000000056FA000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.353721307.00000000056FA000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.353001018.00000000056F7000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.354043115.00000000056FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comily
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: t40mINaB76.exe, 00000000.00000003.351635075.0000000005704000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: t40mINaB76.exe, 00000000.00000003.355217285.000000000570E000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.355125365.000000000570E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlo
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: t40mINaB76.exe, 00000000.00000002.383796685.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: t40mINaB76.exe, 00000000.00000002.383796685.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.coma
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: t40mINaB76.exe, 00000000.00000003.351157043.0000000005701000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.351002112.0000000005700000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.357659176.00000000056F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.351452161.0000000005704000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: t40mINaB76.exe, 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: t40mINaB76.exe	String found in binary or memory: https://picsum.photos/80

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: t40mINaB76.exe PID: 6256, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: t40mINaB76.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: t40mINaB76.exe PID: 6256, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_00EAF882	0_2_00EAF882
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B4F280	3_2_02B4F280
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B47200	3_2_02B47200
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B46B88	3_2_02B46B88
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B483C9	3_2_02B483C9
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B4FB30	3_2_02B4FB30
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B47B08	3_2_02B47B08
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B46111	3_2_02B46111
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B476A8	3_2_02B476A8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B4F6D8	3_2_02B4F6D8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B4EE28	3_2_02B4EE28
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B47F68	3_2_02B47F68
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B4E758	3_2_02B4E758
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B4A45A	3_2_02B4A45A
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B45587	3_2_02B45587
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B44AA8	3_2_02B44AA8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B44A98	3_2_02B44A98
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B47248	3_2_02B47248
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B46B78	3_2_02B46B78
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B4DFE0	3_2_02B4DFE0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_02B4DFD0	3_2_02B4DFD0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06376038	3_2_06376038
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637F838	3_2_0637F838
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06374628	3_2_06374628
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637DE00	3_2_0637DE00
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06373070	3_2_06373070
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06370040	3_2_06370040
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06377A48	3_2_06377A48
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06377EA0	3_2_06377EA0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06376490	3_2_06376490
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637D098	3_2_0637D098
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06374A80	3_2_06374A80
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637E280	3_2_0637E280
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_063782F8	3_2_063782F8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_063768E8	3_2_063768E8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06374ED8	3_2_06374ED8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637E6D8	3_2_0637E6D8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_063734C8	3_2_063734C8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06375330	3_2_06375330
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637EB30	3_2_0637EB30
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06373920	3_2_06373920
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637B770	3_2_0637B770
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06373D78	3_2_06373D78
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06378750	3_2_06378750
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06376D40	3_2_06376D40
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06378BA8	3_2_06378BA8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06377198	3_2_06377198
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637C398	3_2_0637C398
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06375788	3_2_06375788
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637EF88	3_2_0637EF88
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_063775F0	3_2_063775F0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06375BE0	3_2_06375BE0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637F3E0	3_2_0637F3E0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_063741D0	3_2_063741D0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06377A3A	3_2_06377A3A
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637C020	3_2_0637C020
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06376028	3_2_06376028
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637F828	3_2_0637F828
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06374619	3_2_06374619
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06370006	3_2_06370006
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637C00F	3_2_0637C00F
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06374A70	3_2_06374A70
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06373062	3_2_06373062
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_063734B8	3_2_063734B8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06377E90	3_2_06377E90
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06376482	3_2_06376482
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_063782E8	3_2_063782E8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_063768D8	3_2_063768D8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637B6C9	3_2_0637B6C9
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06374EC8	3_2_06374EC8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637E6C8	3_2_0637E6C8
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06376D36	3_2_06376D36
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06375321	3_2_06375321
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637EB20	3_2_0637EB20
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06373910	3_2_06373910
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637EF79	3_2_0637EF79
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06375778	3_2_06375778
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06373D68	3_2_06373D68
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06378741	3_2_06378741
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06377188	3_2_06377188
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637DDF0	3_2_0637DDF0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_063775E0	3_2_063775E0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_06375BD0	3_2_06375BD0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_0637F3D0	3_2_0637F3D0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_063741C0	3_2_063741C0

Source: t40mINaB76.exe	Binary or memory string: OriginalFilename vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.384331004.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.390847193.0000000007170000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.390556341.0000000006F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCloneHelper.dll4 vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.390577870.0000000006F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeVariant.dll" vs t40mINaB76.exe
Source: t40mINaB76.exe	Binary or memory string: OriginalFilename vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000003.00000000.368971564.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000003.00000002.617356854.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs t40mINaB76.exe
Source: t40mINaB76.exe	Binary or memory string: OriginalFilenameIMap.exe> vs t40mINaB76.exe

Source: t40mINaB76.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: t40mINaB76.exe	Virustotal: Detection: 35%
Source: t40mINaB76.exe	ReversingLabs: Detection: 53%

Source: t40mINaB76.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\t40mINaB76.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\t40mINaB76.exe "C:\Users\user\Desktop\t40mINaB76.exe"
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process created: C:\Users\user\Desktop\t40mINaB76.exe C:\Users\user\Desktop\t40mINaB76.exe
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process created: C:\Users\user\Desktop\t40mINaB76.exe C:\Users\user\Desktop\t40mINaB76.exe	Jump to behavior

Source: C:\Users\user\Desktop\t40mINaB76.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\t40mINaB76.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: t40mINaB76.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\t40mINaB76.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: t40mINaB76.exe, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.t40mINaB76.exe.3a0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.t40mINaB76.exe.3a0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.t40mINaB76.exe.9b0000.3.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.t40mINaB76.exe.9b0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.t40mINaB76.exe.400000.6.unpack, u26ca?u060cufffd?/ufffdK??ufffd.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Users\user\Desktop\t40mINaB76.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\t40mINaB76.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\t40mINaB76.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: t40mINaB76.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: t40mINaB76.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: t40mINaB76.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: t40mINaB76.exe, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.t40mINaB76.exe.3a0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.t40mINaB76.exe.3a0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.3.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.13.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.2.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.11.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.t40mINaB76.exe.9b0000.1.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.1.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.7.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.5.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1C4A push dword ptr [edx]; retf	0_2_003B1C84
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1E44 push dword ptr [edx]; retf	0_2_003B1E84
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1C85 push dword ptr [eax]; retf	0_2_003B1C8C
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1A85 push dword ptr [eax]; retf	0_2_003B1A8C
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1E85 push dword ptr [eax]; retf	0_2_003B1E8C
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1ACD push ds; retf	0_2_003B1AD0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1CCD push ds; retf	0_2_003B1CD0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1ECD push ds; retf	0_2_003B1ED0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1B3E push dword ptr [edx]; retf	0_2_003B1B84
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1936 push dword ptr [edx]; retf	0_2_003B1984
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1D4F push dword ptr [edx]; retf	0_2_003B1D84
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1F4E push dword ptr [edx]; retf	0_2_003B1F84
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1B85 push dword ptr [eax]; retf	0_2_003B1B8C
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1985 push dword ptr [eax]; retf	0_2_003B198C
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1D85 push dword ptr [eax]; retf	0_2_003B1D8C
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1F85 push dword ptr [eax]; retf	0_2_003B1F8C
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B19E0 push dword ptr [edx]; retf	0_2_003B1A84
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1BCD push ds; retf	0_2_003B1BD0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B19CD push ds; retf	0_2_003B19D0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1DCD push ds; retf	0_2_003B1DD0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 0_2_003B1FCD push ds; retf	0_2_003B1FD0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_009C1C85 push dword ptr [eax]; retf	3_2_009C1C8C
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_009C1CCD push ds; retf	3_2_009C1CD0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_009C1C4A push dword ptr [edx]; retf	3_2_009C1C84
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_009C1985 push dword ptr [eax]; retf	3_2_009C198C
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_009C1D85 push dword ptr [eax]; retf	3_2_009C1D8C
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_009C1DCD push ds; retf	3_2_009C1DD0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_009C19CD push ds; retf	3_2_009C19D0
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_009C19E0 push dword ptr [edx]; retf	3_2_009C1A84
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_009C1936 push dword ptr [edx]; retf	3_2_009C1984
Source: C:\Users\user\Desktop\t40mINaB76.exe	Code function: 3_2_009C1D4F push dword ptr [edx]; retf	3_2_009C1D84

Source: t40mINaB76.exe

Static PE information: 0xF6D13CCD [Tue Mar 22 04:08:45 2101 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.873493921273272

Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.384331004.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: t40mINaB76.exe, 00000000.00000002.384331004.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: t40mINaB76.exe, 00000000.00000002.384331004.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\t40mINaB76.exe TID: 6216

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\t40mINaB76.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\t40mINaB76.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\t40mINaB76.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\t40mINaB76.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\t40mINaB76.exe

Code function: 3_2_02B46B88 LdrInitializeThunk,

3_2_02B46B88

Source: C:\Users\user\Desktop\t40mINaB76.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 3.0.t40mINaB76.exe.400000.6.unpack, ufffdudb0audf1au07b8?/?????.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 3.0.t40mINaB76.exe.400000.6.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 3.0.t40mINaB76.exe.400000.10.unpack, ufffdudb0audf1au07b8?/?????.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 3.0.t40mINaB76.exe.400000.10.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 3.0.t40mINaB76.exe.400000.4.unpack, ufffdudb0audf1au07b8?/?????.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 3.0.t40mINaB76.exe.400000.4.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 3.0.t40mINaB76.exe.400000.8.unpack, ufffdudb0audf1au07b8?/?????.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 3.0.t40mINaB76.exe.400000.8.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 3.0.t40mINaB76.exe.400000.12.unpack, ufffdudb0audf1au07b8?/?????.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 3.0.t40mINaB76.exe.400000.12.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\t40mINaB76.exe

Memory written: C:\Users\user\Desktop\t40mINaB76.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\t40mINaB76.exe

Process created: C:\Users\user\Desktop\t40mINaB76.exe C:\Users\user\Desktop\t40mINaB76.exe

Jump to behavior

Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Users\user\Desktop\t40mINaB76.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Users\user\Desktop\t40mINaB76.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\t40mINaB76.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: t40mINaB76.exe PID: 6256, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\t40mINaB76.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\t40mINaB76.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\t40mINaB76.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: t40mINaB76.exe PID: 6256, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: t40mINaB76.exe PID: 6256, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
t40mINaB76.exe	36%	Virustotal		Browse
t40mINaB76.exe	54%	ReversingLabs	ByteCode-MSIL.Spyware.SnakeLogger
t40mINaB76.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.0.t40mINaB76.exe.400000.6.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
3.0.t40mINaB76.exe.400000.10.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
3.0.t40mINaB76.exe.400000.4.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
3.0.t40mINaB76.exe.400000.8.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
3.0.t40mINaB76.exe.400000.12.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
3.2.t40mINaB76.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.carterandcone.como	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.fontbureau.come.coma	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://checkip.dyndns.org4fk0	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.carterandcone.comily	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
a-0019.standard.a-msedge.net	204.79.197.222	true	false	unknown
checkip.dyndns.com	132.226.8.169	true	true	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	t40mINaB76.exe, 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.htmlo	t40mINaB76.exe, 00000000.00000003.355217285.000000000570E000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.355125365.000000000570E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.como	t40mINaB76.exe, 00000000.00000003.351635075.0000000005704000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	t40mINaB76.exe, 00000003.00000002.618270110.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000003.00000002.618229556.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	t40mINaB76.exe, 00000000.00000003.354043115.00000000056FF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.come.coma	t40mINaB76.exe, 00000000.00000002.383796685.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	t40mINaB76.exe, 00000000.00000003.351157043.0000000005701000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.351002112.0000000005700000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.357659176.00000000056F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org4fk0	t40mINaB76.exe, 00000003.00000002.618229556.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comily	t40mINaB76.exe, 00000000.00000003.352500439.00000000056F3000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.353409000.00000000056FA000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.353721307.00000000056FA000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.353001018.00000000056F7000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.354043115.00000000056FF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comcom	t40mINaB76.exe, 00000000.00000002.383796685.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	t40mINaB76.exe, 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
https://picsum.photos/80	t40mINaB76.exe	false		high
http://www.fonts.com	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	t40mINaB76.exe, 00000003.00000002.618270110.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.351452161.0000000005704000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	t40mINaB76.exe, 00000003.00000002.618024955.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	652384
Start date and time: 26/06/202209:31:12	2022-06-26 09:31:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	t40mINaB76.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.2%) Quality average: 61.7% Quality standard deviation: 43.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 105 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fp.msedge.net, client.wns.windows.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, b-ring.msedge.net, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, 1.perf.msedge.net, fp-as.azureedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:32:30	API Interceptor	1x Sleep call for process: t40mINaB76.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
132.226.8.169	MV CHINALAND.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Docume001.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Signed_PO_003485940.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Qlo3Xd8Xt4.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	09009876543456789000000.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Ouicbvpfj.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.W32.AIDetectNet.01.12429.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	INVOICE AND UPDATTED S O A.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	CTDTOMycoF.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PO_28001.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.W32.AIDetectNet.01.10057.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PO 326217 326214.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	uc2RxH8hO7.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	mltzDybf15.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Atpeixzs.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	spetsifikatsioon.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	85rc53QGiJ.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	CHIOS LUCK.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.W32.AIDetectNet.01.18120.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	AWB #5331810761doc.pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
a-0019.standard.a-msedge.net	MV. AVENIR TBN VESSEL DETAILS.docx.exe	Get hash	malicious	Browse	204.79.197.222
	SecuriteInfo.com.W32.AIDetectNet.01.25492.exe	Get hash	malicious	Browse	204.79.197.222
	Signed_PO_003485940.exe	Get hash	malicious	Browse	204.79.197.222
	4Os5JWDs7J.dll	Get hash	malicious	Browse	204.79.197.222
	texdpEFl8r.exe	Get hash	malicious	Browse	204.79.197.222
	YI52XpVV6Y.exe	Get hash	malicious	Browse	204.79.197.222
	Qasim_Haxor.exe	Get hash	malicious	Browse	204.79.197.222
	#U70b9#U51fb#U5b89#U88c5-#U7eb8#U98de#U673a#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305.com	Get hash	malicious	Browse	204.79.197.222
	Ou5tput.exe.exe	Get hash	malicious	Browse	204.79.197.222
	Fichero_Comprobante125822355MX12152022.htm	Get hash	malicious	Browse	204.79.197.222
	17.06.2022 cuma.docx	Get hash	malicious	Browse	204.79.197.222
	jUPHTA73IC.exe	Get hash	malicious	Browse	204.79.197.222
	w7QV15PTIU.exe	Get hash	malicious	Browse	204.79.197.222
	SecuriteInfo.com.W32.AIDetectNet.01.2759.exe	Get hash	malicious	Browse	204.79.197.222
	jsgSQzzt8S.dll	Get hash	malicious	Browse	204.79.197.222
	TLEsLC17Fy.dll	Get hash	malicious	Browse	204.79.197.222
	hJKjT75NRB.dll	Get hash	malicious	Browse	204.79.197.222
	purchase order.exe	Get hash	malicious	Browse	204.79.197.222
	customs broker_outstandings.js	Get hash	malicious	Browse	204.79.197.222
	SecuriteInfo.com.Gen.Variant.Nemesis.8198.16406.exe	Get hash	malicious	Browse	204.79.197.222
checkip.dyndns.com	0OZQi3b0tM.exe	Get hash	malicious	Browse	193.122.130.0
	ZzO0LX45zz.exe	Get hash	malicious	Browse	193.122.130.0
	FNK08uYGy6.exe	Get hash	malicious	Browse	193.122.130.0
	MV CHINALAND.exe	Get hash	malicious	Browse	158.101.44.242
	Import shipment.exe	Get hash	malicious	Browse	132.226.247.73
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	193.122.130.0
	4vQAHpapFz.exe	Get hash	malicious	Browse	193.122.130.0
	SecuriteInfo.com.IL.Trojan.MSILZilla.16190.26221.exe	Get hash	malicious	Browse	193.122.6.168
	gD5LFrPtfc.exe	Get hash	malicious	Browse	132.226.247.73
	aercUUUX2C.exe	Get hash	malicious	Browse	193.122.130.0
	vSgQo7dqYG.exe	Get hash	malicious	Browse	158.101.44.242
	MV CHINALAND.exe	Get hash	malicious	Browse	132.226.8.169
	22017_TIEM2 - RFQ.exe	Get hash	malicious	Browse	158.101.44.242
	CUSTOMER REQUEST.exe	Get hash	malicious	Browse	193.122.130.0
	Import shipment.exe	Get hash	malicious	Browse	193.122.130.0
	854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exe	Get hash	malicious	Browse	193.122.130.0
	tka30O3OZN.exe	Get hash	malicious	Browse	193.122.130.0
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	132.226.247.73
	Docume001.exe	Get hash	malicious	Browse	132.226.8.169
	ViAKIk7T7X.exe	Get hash	malicious	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UTMEMUS	Import shipment.exe	Get hash	malicious	Browse	132.226.247.73
	gD5LFrPtfc.exe	Get hash	malicious	Browse	132.226.247.73
	MV CHINALAND.exe	Get hash	malicious	Browse	132.226.8.169
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	132.226.247.73
	Docume001.exe	Get hash	malicious	Browse	132.226.8.169
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	132.226.247.73
	m5s2c7eaZv.exe	Get hash	malicious	Browse	132.226.247.73
	F96UcEk8Z9.exe	Get hash	malicious	Browse	132.226.247.73
	Signed_PO_003485940.exe	Get hash	malicious	Browse	132.226.8.169
	Qlo3Xd8Xt4.exe	Get hash	malicious	Browse	132.226.8.169
	09009876543456789000000.exe	Get hash	malicious	Browse	132.226.8.169
	Payment Copy.exe	Get hash	malicious	Browse	132.226.247.73
	PO_28001.exe	Get hash	malicious	Browse	132.226.247.73
	Payment Copy.exe	Get hash	malicious	Browse	132.226.247.73
	Ouicbvpfj.exe	Get hash	malicious	Browse	132.226.247.73
	Shipping Documents.exe	Get hash	malicious	Browse	132.226.247.73
	SecuriteInfo.com.W32.AIDetectNet.01.12429.exe	Get hash	malicious	Browse	132.226.8.169
	INVOICE AND UPDATTED S O A.exe	Get hash	malicious	Browse	132.226.8.169
	CTDTOMycoF.exe	Get hash	malicious	Browse	132.226.8.169
	Payment Slip.exe	Get hash	malicious	Browse	132.226.247.73

Process:	C:\Users\user\Desktop\t40mINaB76.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.867806102757487
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	t40mINaB76.exe
File size:	886784
MD5:	245ec1208ca48e276c460411f78c1709
SHA1:	d11e01fe9082690cfedbdd60dcb720dc3cc31b50
SHA256:	4f226448711ce98504aa05d3ebdec11f518aa583f58d21b44869912b039a5bb7
SHA512:	e277d541f4db6a4bd4e1609e9633286a2d16661becd4bd65fcdadaea78e8494675ab85b6fe788e97c3da95af9616d03d8513d5710ff7d8eb3ac2d8a466a967d2
SSDEEP:	24576:y/W5X1K/W5kkPRrho0/T5UfjvHkEACW53jJ//0DJD:rp92k19UfDfW53FkV
TLSH:	671523443B1A93E4E8EDE37490495631063BB02ECAD0D56DFADA73CAD596372C823E17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4d9e16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF6D13CCD [Tue Mar 22 04:08:45 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
dec eax
push edx
dec eax
inc ecx
xor eax, 45373434h
cmp byte ptr [3534564Eh], dh
xor eax, 4F373751h
push esp
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd9dc4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x390	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd9da8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd7e34	0xd8000	False	0.9151159215856481	data	7.873493921273272	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x390	0x400	False	0.37890625	data	2.875317760505998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xda058	0x334	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.7132.226.8.16949776802842536 06/26/22-09:32:46.921589	TCP	2842536	ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check	49776	80	192.168.2.7	132.226.8.169

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2022 09:32:46.652586937 CEST	49776	80	192.168.2.7	132.226.8.169
Jun 26, 2022 09:32:46.920700073 CEST	80	49776	132.226.8.169	192.168.2.7
Jun 26, 2022 09:32:46.921561956 CEST	49776	80	192.168.2.7	132.226.8.169
Jun 26, 2022 09:32:46.921588898 CEST	49776	80	192.168.2.7	132.226.8.169
Jun 26, 2022 09:32:47.190963030 CEST	80	49776	132.226.8.169	192.168.2.7
Jun 26, 2022 09:32:47.191929102 CEST	80	49776	132.226.8.169	192.168.2.7
Jun 26, 2022 09:32:47.335665941 CEST	49776	80	192.168.2.7	132.226.8.169
Jun 26, 2022 09:33:52.190876007 CEST	80	49776	132.226.8.169	192.168.2.7
Jun 26, 2022 09:33:52.191035986 CEST	49776	80	192.168.2.7	132.226.8.169
Jun 26, 2022 09:34:27.232836962 CEST	49776	80	192.168.2.7	132.226.8.169
Jun 26, 2022 09:34:27.502173901 CEST	80	49776	132.226.8.169	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2022 09:32:46.479516983 CEST	58715	53	192.168.2.7	8.8.8.8
Jun 26, 2022 09:32:46.499239922 CEST	53	58715	8.8.8.8	192.168.2.7
Jun 26, 2022 09:32:46.580642939 CEST	60280	53	192.168.2.7	8.8.8.8
Jun 26, 2022 09:32:46.597374916 CEST	53	60280	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 26, 2022 09:32:46.479516983 CEST	192.168.2.7	8.8.8.8	0xdac	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.580642939 CEST	192.168.2.7	8.8.8.8	0x6274	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 26, 2022 09:32:38.311145067 CEST	8.8.8.8	192.168.2.7	0x6bd2	No error (0)	a-0019.a-msedge.net	a-0019.a.dns.azurefd.net		CNAME (Canonical name)	IN (0x0001)
Jun 26, 2022 09:32:38.311145067 CEST	8.8.8.8	192.168.2.7	0x6bd2	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jun 26, 2022 09:32:38.311145067 CEST	8.8.8.8	192.168.2.7	0x6bd2	No error (0)	a-0019.standard.a-msedge.net		204.79.197.222	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.499239922 CEST	8.8.8.8	192.168.2.7	0xdac	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Jun 26, 2022 09:32:46.499239922 CEST	8.8.8.8	192.168.2.7	0xdac	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.499239922 CEST	8.8.8.8	192.168.2.7	0xdac	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.499239922 CEST	8.8.8.8	192.168.2.7	0xdac	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.499239922 CEST	8.8.8.8	192.168.2.7	0xdac	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.499239922 CEST	8.8.8.8	192.168.2.7	0xdac	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.597374916 CEST	8.8.8.8	192.168.2.7	0x6274	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Jun 26, 2022 09:32:46.597374916 CEST	8.8.8.8	192.168.2.7	0x6274	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.597374916 CEST	8.8.8.8	192.168.2.7	0x6274	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.597374916 CEST	8.8.8.8	192.168.2.7	0x6274	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.597374916 CEST	8.8.8.8	192.168.2.7	0x6274	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Jun 26, 2022 09:32:46.597374916 CEST	8.8.8.8	192.168.2.7	0x6274	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49776	132.226.8.169	80	C:\Users\user\Desktop\t40mINaB76.exe

Timestamp	kBytes transferred	Direction	Data
Jun 26, 2022 09:32:46.921588898 CEST	1166	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 26, 2022 09:32:47.191929102 CEST	1167	IN	HTTP/1.1 200 OK Date: Sun, 26 Jun 2022 07:32:47 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 36 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.143.61</body></html>

Target ID:	0
Start time:	09:32:21
Start date:	26/06/2022
Path:	C:\Users\user\Desktop\t40mINaB76.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\t40mINaB76.exe"
Imagebase:	0x3a0000
File size:	886784 bytes
MD5 hash:	245EC1208CA48E276C460411F78C1709
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.384331004.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	09:32:31
Start date:	26/06/2022
Path:	C:\Users\user\Desktop\t40mINaB76.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\t40mINaB76.exe
Imagebase:	0x9b0000
File size:	886784 bytes
MD5 hash:	245EC1208CA48E276C460411F78C1709
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	89
Total number of Limit Nodes:	5

Executed Functions

Function 00EAF882 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986ddcf49df4b206dfec0f7b418662a23c4b302094cdd3d24e49a3fb6332f2fd
Instruction ID: ae0b63108820be29a6d3e6bf63dd3d6c363909d002887d54327fbfc800b7e2cd
Opcode Fuzzy Hash: 986ddcf49df4b206dfec0f7b418662a23c4b302094cdd3d24e49a3fb6332f2fd
Instruction Fuzzy Hash: 3EA18075E003598FCB04DBB0D8549DDBBB6FF8A304F158665E409BF2A5DB34A849CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB020 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EAB090
GetCurrentThread.KERNEL32 ref: 00EAB0CD
GetCurrentProcess.KERNEL32 ref: 00EAB10A
GetCurrentThreadId.KERNEL32 ref: 00EAB163

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aeedcd35950e9873e8595d4dd5fa5a06287a1dbbe0d5e35cd9c0a953c2414d35
Instruction ID: 4f34acef203b32d749b8980602d7f2669f3062dc25051013d389840cd78dfab8
Opcode Fuzzy Hash: aeedcd35950e9873e8595d4dd5fa5a06287a1dbbe0d5e35cd9c0a953c2414d35
Instruction Fuzzy Hash: 555154B4D053488FDB10CFAAC9887EEBBF0BF8A314F208459E019B7251C7746845CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB030 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EAB090
GetCurrentThread.KERNEL32 ref: 00EAB0CD
GetCurrentProcess.KERNEL32 ref: 00EAB10A
GetCurrentThreadId.KERNEL32 ref: 00EAB163

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a266f7ca68e85da8527bbc005107931773f1346da7c7d489d1a6d2d8e21e58d9
Instruction ID: 87df4d5541b159247cd86b19f34ebee086f80a82f78f0ce138184d10b16a0410
Opcode Fuzzy Hash: a266f7ca68e85da8527bbc005107931773f1346da7c7d489d1a6d2d8e21e58d9
Instruction Fuzzy Hash: A45142B4E057488FDB10CFAAD988BAEBBF0BF89308F208459E419B7350C7746844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00EA8D30 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EA8F76

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f6ac1616d4ece831390b92639ea8427ccca9a8ec4725a08ea1cc6b1a1f99b2da
Instruction ID: 1b2a28ed0b45e82889828f0667de7d072e1950139be8c3c41daa451ffc1d9c88
Opcode Fuzzy Hash: f6ac1616d4ece831390b92639ea8427ccca9a8ec4725a08ea1cc6b1a1f99b2da
Instruction Fuzzy Hash: 33813670A00B058FDB24DF29D54579ABBF5BF89304F10892AE48AEBA50DB74F805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EAF54D Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00EAF66A

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e15829e632864cb1839683d39513a803bd85d3dc745ccd9c87fe2a46f9ffa40c
Instruction ID: 5c6f7256118fd34a8eda21796bce10136cf3f150e21e95323db112e05fe06ffb
Opcode Fuzzy Hash: e15829e632864cb1839683d39513a803bd85d3dc745ccd9c87fe2a46f9ffa40c
Instruction Fuzzy Hash: 5651C3B1D003499FDB15CFA9C884ADDBFB1BF89314F24822AE415BB250D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EAF558 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00EAF66A

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b6f9d7b11de08f5b34c58c2eb35d763a63d44872bf8df584b08b9fe5899e2af3
Instruction ID: cac23b48090e18a90d213cb4a9ec150e47f91f90c49a970a1ebac0d65bcd62ae
Opcode Fuzzy Hash: b6f9d7b11de08f5b34c58c2eb35d763a63d44872bf8df584b08b9fe5899e2af3
Instruction Fuzzy Hash: BD41AFB1D103499FDB14CF99C884ADEBBB5BF88314F24862AE819BB250D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB253 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EAB2DF

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 64847f594dd0adabb50c59f272d97699d68241b9e1fded8fe831581b7299a35d
Instruction ID: 804eb266a7fbd0434cd0005f6db9a8fb88d60853b250bdcc862fdc22c07d301e
Opcode Fuzzy Hash: 64847f594dd0adabb50c59f272d97699d68241b9e1fded8fe831581b7299a35d
Instruction Fuzzy Hash: 6F2103B59002499FDB10CFA9D884AEEBFF4FB48324F14801AE954B7310C378A955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB258 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EAB2DF

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f861fb43e8fe132cc963c2caab39d98497990282ebb00fdf1ffe05e02495cd06
Instruction ID: 82ac65aab3dbac6bf2c932aa0c9a90c17fe4a61f8a4900b5d19c8743cd53f1f5
Opcode Fuzzy Hash: f861fb43e8fe132cc963c2caab39d98497990282ebb00fdf1ffe05e02495cd06
Instruction Fuzzy Hash: 8721E2B59002489FDB10CFAAD984ADEBBF8FB48324F14841AE914B7310D378A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EA9190 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EA8FF1,00000800,00000000,00000000), ref: 00EA9202

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e55324e4902e91fb937be4bb6a67c9b83692d5fecdb8f681aa776417f08ee1b0
Instruction ID: 68ccb2c58fcc9236153cde39a4a9c2116b5d1e57245265a0bf36a49377828a37
Opcode Fuzzy Hash: e55324e4902e91fb937be4bb6a67c9b83692d5fecdb8f681aa776417f08ee1b0
Instruction Fuzzy Hash: 4D2136B6D002498FCB10CFAAD884BDEFBF4AB99314F14852AD415B7201C375A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA8800 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EA8FF1,00000800,00000000,00000000), ref: 00EA9202

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 86b056ebff9f7811e896c99cba1443ecc298b6eda3f1162b32db919ce4016c0e
Instruction ID: cf24fdb033d0e91da0ef31520f215e15bb8874a8d027e8ee4c492a98c3e8f0e8
Opcode Fuzzy Hash: 86b056ebff9f7811e896c99cba1443ecc298b6eda3f1162b32db919ce4016c0e
Instruction Fuzzy Hash: 721114B69043499FCB10CF9AD844BDEFBF4EB99314F11842AE519BB200C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EA782B Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00EA789D

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 5f2b23161b4c4f731c22006c73992839690debe6f62102809719718bbdfad71a
Instruction ID: ce6a47e75c7f6bd7590d32d7ef3eb2d63061164cacb2b62e7fc016b9cffe6fb8
Opcode Fuzzy Hash: 5f2b23161b4c4f731c22006c73992839690debe6f62102809719718bbdfad71a
Instruction Fuzzy Hash: B611DF75C08398CEDB11CFA5D4443EEBFF4AB4A318F0444AAD495BB282C3789608CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EA8F10 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EA8F76

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 45346387cee8dfda1c09f11793f32d9106933e872ac093baad86f83040a5c8f7
Instruction ID: 94422f5cc2b555a02adc136722aaf5bf02093ae31adc601717a745a1947b8296
Opcode Fuzzy Hash: 45346387cee8dfda1c09f11793f32d9106933e872ac093baad86f83040a5c8f7
Instruction Fuzzy Hash: 13111DB6D002498FDB10CF9AC944BDEFBF4EB89324F14852AD829B7200C778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EAF7A0 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 00EAF7FD

Memory Dump Source

Source File: 00000000.00000002.383646371.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_t40mINaB76.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6ec29e258ff296bb669c21f3158ae49352414e121f396238d0e5e56c8eddc969
Instruction ID: e8fa413e481ec118b0566b96967a110d88bbb1ab2f2532e4505c16c117264c12
Opcode Fuzzy Hash: 6ec29e258ff296bb669c21f3158ae49352414e121f396238d0e5e56c8eddc969
Instruction Fuzzy Hash: EC1100B59002488FDB10CF99D485BDEBBF8EB88324F20851AE814B7300C378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D1D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370839789.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0dd7964e917957858e80ff2baba225c5bf79fd27c97f5972c2d08c2c6c9639
Instruction ID: 616e3ee4859bf42968ef07dc3d24395bdf3ac842485a722424183bd637cb324f
Opcode Fuzzy Hash: 5f0dd7964e917957858e80ff2baba225c5bf79fd27c97f5972c2d08c2c6c9639
Instruction Fuzzy Hash: 00210672604348DFCB05DF90E8C0B6ABF65FB88314F24C669E9055B286C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370839789.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918a178a8a3f76edd0c50cd5d6449c7e8a42f7266c9e5d430eaa2433d3712f50
Instruction ID: c49b4cbba3373732bc84a1c2470f996199abd1d9fb72286aab2a68192b79c0cd
Opcode Fuzzy Hash: 918a178a8a3f76edd0c50cd5d6449c7e8a42f7266c9e5d430eaa2433d3712f50
Instruction Fuzzy Hash: C52148B2504248DFDB01DF44E9C0B2ABF61FB88328F24C569ED050B286C336E805DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370862383.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b232ab8069f48e7eebd12d0f9df59b9ce3e9c13f5d2014ed732ece4233899f4
Instruction ID: ca0757173e7a9544dcb7aa6e4c7f670d91407f2cb26f813c5128df8b7dde4fa8
Opcode Fuzzy Hash: 2b232ab8069f48e7eebd12d0f9df59b9ce3e9c13f5d2014ed732ece4233899f4
Instruction Fuzzy Hash: 682129B1604244EFDB05DF14D9C0BA6BBB5FB84314F34CA6DE9095B246C33AD886CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370862383.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cae6e5c5eb6e5cb1901820d5caae09759e69acb21c2f03e7ede88af48ec1a94
Instruction ID: 6366439df3bbe5690635f2af6c21860b60f3024881b22dcbdcc233a5349fb1ed
Opcode Fuzzy Hash: 2cae6e5c5eb6e5cb1901820d5caae09759e69acb21c2f03e7ede88af48ec1a94
Instruction Fuzzy Hash: 97210475604244EFCB14DF14D9C0B66BB65FB88318F24C96DE90A4B246C33BD887CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370862383.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4ec9fb4fc703ef660470102a53ae072ea080098b435207e1f82c9ee6d73f55
Instruction ID: 0e97d39e3de0063a64afc26b04019a0a5fdd0e739a9da588fddfd459061e8e5d
Opcode Fuzzy Hash: ab4ec9fb4fc703ef660470102a53ae072ea080098b435207e1f82c9ee6d73f55
Instruction Fuzzy Hash: ED2181755093808FCB12CF24D994B55BF71EB4A314F28C5DAD8498B697C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D1D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370839789.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cde79d6d0e43d49321c99c57a5bfe87544c70e15d7d67dc809fe595ce8a0b83
Instruction ID: 817e9c01129cce694c951c95e1ce8b329a42861503a95ed168290cc31c296eb8
Opcode Fuzzy Hash: 5cde79d6d0e43d49321c99c57a5bfe87544c70e15d7d67dc809fe595ce8a0b83
Instruction Fuzzy Hash: 25219D76504284DFCB16CF50E9C4B56BF71FB88324F24C2A9DC040B696C33AD86ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370839789.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
Instruction ID: 39b731ebc3b8fa6317681de3d4ebb3bc0f82822c4d82f3570fa50ebb488e3fb6
Opcode Fuzzy Hash: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
Instruction Fuzzy Hash: 7D11AF76904284CFCB12CF54E9C4B16BF61FB84324F2486A9DC050B656C336E85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370862383.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725603eaebc9f1d621427d3cb60e09fa8cbd8244e7a14264b829477f2138ecd5
Instruction ID: 4813fe9497f21de8df44de62d65321d76e997c11ec01e6bece43d4a5017dafbf
Opcode Fuzzy Hash: 725603eaebc9f1d621427d3cb60e09fa8cbd8244e7a14264b829477f2138ecd5
Instruction Fuzzy Hash: 65118B75904284DFCB11CF14D5C4B95BBA1FB85324F28C6A9D8494B656C33AD88ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D651 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370839789.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442ad4043e179ced28bcfced3fd44d469e80164feec516b69058706a0aa99238
Instruction ID: 40b7279e2d8ff182fee12db4c14f71046582918255b7485ade9c82d2e947ecdc
Opcode Fuzzy Hash: 442ad4043e179ced28bcfced3fd44d469e80164feec516b69058706a0aa99238
Instruction Fuzzy Hash: D201F7724183889AE7105B65DCC4767FF98EF41338F188419ED085A2C6C37A9844DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D650 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370839789.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b3fbec487a569b3872aa1562e40cfd76ea7353f659fd3498e439ed1553af60
Instruction ID: 271d6bb51df80dbb6fab155681525bc3d1fa13a9e069b7e690ca32e076f2dce8
Opcode Fuzzy Hash: 64b3fbec487a569b3872aa1562e40cfd76ea7353f659fd3498e439ed1553af60
Instruction Fuzzy Hash: E0F062724043889EEB108B15DDC4B63FF98EB42774F18C55AED085F286D3799C44DAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: t40mINaB76.exePID: 6256, Parent PID: 6564COMMON

Execution Graph

Execution Coverage:	17.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40.7%
Total number of Nodes:	334
Total number of Limit Nodes:	57

Executed Functions

Function 02B45587 Relevance: 2.1, APIs: 1, Instructions: 634
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02B45635

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3550ec09b9e7f4db890f1964c6e91812329413508e38245b32bb95f00b07a9a
Instruction ID: bcf4e46b58ab23272df9a6e7f2a7b5937568ea1d580ecd0bd86b8893d6eb154d
Opcode Fuzzy Hash: f3550ec09b9e7f4db890f1964c6e91812329413508e38245b32bb95f00b07a9a
Instruction Fuzzy Hash: F462CE74E042288FDB24DF69C884BDDBBB2BB59304F6481EAD508A7355EB349E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B483C9 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 02B4855B

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 78f77f63d66a30371d8703fe8bdb67e57882ea05092a30a16c4096c177d706c6
Instruction ID: d9691c14d37ad859dbce61c2b01b8c99286413dba7e3b70e40762b5535080ff4
Opcode Fuzzy Hash: 78f77f63d66a30371d8703fe8bdb67e57882ea05092a30a16c4096c177d706c6
Instruction Fuzzy Hash: 98C1A078E00218CFDB14DFA5D984BADBBB2FF89304F2080A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B46111 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 02B461EC

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a5fd9eeb333bd26dbe2275176c5c0d50e2796b2a4e3dc4af2e97c595c2ac541f
Instruction ID: 5b279cb805ee2297fe7ef6f4f845860236a5592a5062a2fc7b63e3c2320bc3c8
Opcode Fuzzy Hash: a5fd9eeb333bd26dbe2275176c5c0d50e2796b2a4e3dc4af2e97c595c2ac541f
Instruction Fuzzy Hash: 49D1AF78E00218DFDB24DFA5D984BADBBB2FF89304F2081A9D809A7355DB355A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 06376038 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06376103

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ea119a025da7f0fb9c284456e3ef5e643097d15ef3506fb97f48ef0874545c6d
Instruction ID: c7e2ed2a36fd00fad7de220c28193b02203cd01bef0725d698b65cf68b85f541
Opcode Fuzzy Hash: ea119a025da7f0fb9c284456e3ef5e643097d15ef3506fb97f48ef0874545c6d
Instruction Fuzzy Hash: 50C1C274E00218CFDB64DFA5D994BADBBB2FF89304F2080A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0637F838 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637F903

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 381f978ace881bd1e47451fab7ece0e1c9ae3d686c9694779d12dd2c99c89fb8
Instruction ID: ba6a350bd107cadcd6fc417aca540e6dbb6873801b286c1c801a441e648f0ad3
Opcode Fuzzy Hash: 381f978ace881bd1e47451fab7ece0e1c9ae3d686c9694779d12dd2c99c89fb8
Instruction Fuzzy Hash: A4C1B274E00218CFDB64DFA5D984BADBBB2FF89304F2081A9D809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06374628 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 063746F3

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bfd3bd80a63c2b49b7488d556be5db8a89532c1e9b114e4d220c1e6e7548146e
Instruction ID: be924fbed26acf9e12cb1d8a55adc846862aca7b2530c4a1a1fef19b95e03555
Opcode Fuzzy Hash: bfd3bd80a63c2b49b7488d556be5db8a89532c1e9b114e4d220c1e6e7548146e
Instruction Fuzzy Hash: 3AC1B278E00258CFDB64DFA5D984BADBBB2FF89304F2080A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0637DE00 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637DECB

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dfadc3f5966fb07f4b826a4f63e2c253a040ecafe1fcca194fca38d613fa62e9
Instruction ID: 592f5d25c994236de190f1e1e30d6149203df9a9c3fb6ffc1ad3f3cad2edd008
Opcode Fuzzy Hash: dfadc3f5966fb07f4b826a4f63e2c253a040ecafe1fcca194fca38d613fa62e9
Instruction Fuzzy Hash: 37C1A174E00218CFDB64DFA5D984BADBBB2FF89304F2081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06373070 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637313B

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2ef98cd563952c479be5a43ce1a02c48d678fc6a26a906ffbd5c085d6881f4e9
Instruction ID: 7a338b2a1d9de32d41edd243d27c956a4b69f8fc463eee3e9415b362aa9d07b0
Opcode Fuzzy Hash: 2ef98cd563952c479be5a43ce1a02c48d678fc6a26a906ffbd5c085d6881f4e9
Instruction Fuzzy Hash: 45C1A378E00218CFDB64DFA5D954B9DBBB2FF89304F2080A9D809AB354DB355A85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 06377A48 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06377B13

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: aa7d20419a8b3bba7435568cfdec86c950cda24de4e03fd9293f8cc788262677
Instruction ID: 3115c0a02c4b318859dc505a8d4b7cb296df635946ff2b5c2ae70886aa183d9d
Opcode Fuzzy Hash: aa7d20419a8b3bba7435568cfdec86c950cda24de4e03fd9293f8cc788262677
Instruction Fuzzy Hash: 8BC19174E00218CFDB64DFA5D984B9DBBB2AF89304F2080A9D809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06377EA0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06377F6B

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3007183c2ce9506a26425d242321c2399a0276460e0b0ed34b0bb4a12f227492
Instruction ID: 2c3136b37e0ad768ac56d55b9f548d1e7c5b0c14434e6c34eab55c641e32fbbb
Opcode Fuzzy Hash: 3007183c2ce9506a26425d242321c2399a0276460e0b0ed34b0bb4a12f227492
Instruction Fuzzy Hash: 05C19374E00218CFDB64DFA5D994BADBBB2FF89304F2080A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06376490 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637655B

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7d572beb32e5a6bf4b9af3f78e9c6a8f792e009c7ba86da3a0905705183f5ac0
Instruction ID: 34fcabadbf8f17aaa8c2e7c999cf37f8e41ecc962ed7d272cd0a8c47340ffc78
Opcode Fuzzy Hash: 7d572beb32e5a6bf4b9af3f78e9c6a8f792e009c7ba86da3a0905705183f5ac0
Instruction Fuzzy Hash: 1CC1B278E00218CFDB64DFA5D994BADBBB2FF89304F2080A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06374A80 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06374B4B

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8429ad024952900e42427bc7c73059c521f9e29dfc44596dc8d307ba78ab59c9
Instruction ID: 535795aed6762748e05058049f18ea17f73d6dfcbf8ff7389a0c649671473ffe
Opcode Fuzzy Hash: 8429ad024952900e42427bc7c73059c521f9e29dfc44596dc8d307ba78ab59c9
Instruction Fuzzy Hash: 33C1A378E00218CFDB64DFA5D984B9DBBB2FF89304F2081A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0637E280 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637E34B

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f2472c8039aca9970b54098496c987c06eecda2c3ae8ec6caebb20dc296dd221
Instruction ID: c7c8e4c5e6d779cf27eee0dbc8e9f56a7556209e060ef522213e4c0f76bee003
Opcode Fuzzy Hash: f2472c8039aca9970b54098496c987c06eecda2c3ae8ec6caebb20dc296dd221
Instruction Fuzzy Hash: FDC1A174E00218CFDB64DFA5D994BADBBB2FF89304F2081A9D809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 063782F8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 063783C3

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1159791a7f3fb86b3cef32375f2e0739fe00ba6dec7486eda3b3bdd8c5e13ee7
Instruction ID: 254e49f0f80f46e7d305b85c8dc942e22a3ce6c656a5d642de713885ff364831
Opcode Fuzzy Hash: 1159791a7f3fb86b3cef32375f2e0739fe00ba6dec7486eda3b3bdd8c5e13ee7
Instruction Fuzzy Hash: 73C1B374E00218CFDB64DFA5D984BADBBB2FF89304F2080A9D409AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 063768E8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 063769B3

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6b88678215138ff27c7e7bb7cdced9de059b1de5ee98ee751c1b7f2a730e2fab
Instruction ID: 9e5a755ea1c3586fea16904b54d3902281834ddabfe9aba065629299e74c216b
Opcode Fuzzy Hash: 6b88678215138ff27c7e7bb7cdced9de059b1de5ee98ee751c1b7f2a730e2fab
Instruction Fuzzy Hash: 4BC1B274E00218CFDB64DFA5D995BADBBB2FF89304F2080A9D809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0637E6D8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637E7A3

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8bc5bf2f58de24c88bce4e40cb4e5a2ceb561884094325168ffd68eca074f9b3
Instruction ID: 325efb0666e491affcfc50e2fce68cac212d0e60e0e074c6df3956544318d668
Opcode Fuzzy Hash: 8bc5bf2f58de24c88bce4e40cb4e5a2ceb561884094325168ffd68eca074f9b3
Instruction Fuzzy Hash: 3AC1B274E00258CFDB64DFA5D984BADBBB2FF89304F2080A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06374ED8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06374FA3

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 721cc4dcaba80ebec5f3a4359694c129041328b16e7a8229875d169915c48bef
Instruction ID: 64679c87249135673475862132dd330b22b5c02c6588c7eb65c4741199e9415b
Opcode Fuzzy Hash: 721cc4dcaba80ebec5f3a4359694c129041328b16e7a8229875d169915c48bef
Instruction Fuzzy Hash: FBC1A378E00258CFDB64DFA5D984B9DBBB2FF89304F2080A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 063734C8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06373593

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 259d6d3075b381d80a10e608dbb51ddd8d792d59467fe1f0ede093f7c6e48d39
Instruction ID: c30f29b2d839b756830a409a3aef8d26c6cce6c81efacfd99c7343d17844dc93
Opcode Fuzzy Hash: 259d6d3075b381d80a10e608dbb51ddd8d792d59467fe1f0ede093f7c6e48d39
Instruction Fuzzy Hash: 32C1B374E00218CFDB64DFA5D984BADBBB2FF89304F2081A9D409AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06375330 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 063753FB

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a3901c9efd6aeb70866a173909c34791c260c9d2db0f6ae0154405b147e3ff07
Instruction ID: 6c7f3c17a84da825d05f8fd0d5c409139fcc67eee71043e98505d4cdedb02d17
Opcode Fuzzy Hash: a3901c9efd6aeb70866a173909c34791c260c9d2db0f6ae0154405b147e3ff07
Instruction Fuzzy Hash: 02C1B278E00258CFDB64DFA5D984BADBBB2FF89304F2080A9D409AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0637EB30 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637EBFB

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4cc247a1c9e2cb09dfd20734236c5e41c48f0ae66b6277f09d8044aecf994845
Instruction ID: 1f314a9af1bd8dda86f9a7197361d6a7d7a1291ef3cfd08617a2d1c0741b587b
Opcode Fuzzy Hash: 4cc247a1c9e2cb09dfd20734236c5e41c48f0ae66b6277f09d8044aecf994845
Instruction Fuzzy Hash: 43C1A378E00218CFDB64DFA5D994B9DBBB2FF89304F2081A9D809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06373920 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 063739EB

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 96e9b5933b4f5521acd2352e91241f35865da0a2241da2e2ebb5e98df4f5161e
Instruction ID: 3436439ead5535fecb516397e4db6546a421be4ff621f4043aaa57318624e373
Opcode Fuzzy Hash: 96e9b5933b4f5521acd2352e91241f35865da0a2241da2e2ebb5e98df4f5161e
Instruction Fuzzy Hash: 69C1A374E00218CFDB64DFA5D954BADBBB2FF89304F2080A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06373D78 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06373E43

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 53aba75381cabaf3c52a711c9645194a359b8ae610b435452baa98ef1f56aa48
Instruction ID: 6e262718956ac5f61b736381480f79f4c3442eb212a09dddb0f0b241809aa1f9
Opcode Fuzzy Hash: 53aba75381cabaf3c52a711c9645194a359b8ae610b435452baa98ef1f56aa48
Instruction Fuzzy Hash: DFC1A278E00218CFDB64DFA5D994BADBBB2FF89304F2080A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06378750 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637881B

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cddfe94a196e3c03d70d5a2409b28982aaa4aa4dda7e2dbcda394ca3080807a6
Instruction ID: e5ecbf6961bcb251f292ab490cacb85b12930f3e72d62725043cac0be5d9e63d
Opcode Fuzzy Hash: cddfe94a196e3c03d70d5a2409b28982aaa4aa4dda7e2dbcda394ca3080807a6
Instruction Fuzzy Hash: 1EC1A274E00218CFDB64DFA5D994BADBBB2FF89304F2081A9D809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06376D40 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06376E0B

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7836c070fa70e5ee5b5c727301d19dfa50071a7b9663e31af6f0665eb81a8f70
Instruction ID: 90fb5fda5f02845d4dd8115ec7ae7296faabb62775e4e2b179cd3ee4ddefcf57
Opcode Fuzzy Hash: 7836c070fa70e5ee5b5c727301d19dfa50071a7b9663e31af6f0665eb81a8f70
Instruction Fuzzy Hash: E5C1A274E00218CFDB64DFA5D994BADBBB2FF89304F2080A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06377198 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06377263

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: eaac5d2fc120ecaf7b87c375a386a836bc4f948cae990b06e4eed9d3ab9d008b
Instruction ID: 7ce6bd41d838ad407b1d1285f6ac4952da4fb3270deeb3b7056414328a15139f
Opcode Fuzzy Hash: eaac5d2fc120ecaf7b87c375a386a836bc4f948cae990b06e4eed9d3ab9d008b
Instruction Fuzzy Hash: 40C1A274E00258CFDB64DFA5D994BADBBB2FF89304F2080A9D809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0637EF88 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637F053

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: df48f5d4071991f61cdc11ef4e6a56f80aa4f862379d85b5dbd46af40420d6dd
Instruction ID: 083034b600f96887cb02821e8e05cef4786b0e79101ce7a87fe86fa85f691ff0
Opcode Fuzzy Hash: df48f5d4071991f61cdc11ef4e6a56f80aa4f862379d85b5dbd46af40420d6dd
Instruction Fuzzy Hash: EDC1A378E00218CFDB64DFA5D984B9DBBB2FF89304F2080A9D409AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06375788 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06375853

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e86b18665a4bdf31cc057cf1c31a587378f94330616856d14cc34fbd88c18663
Instruction ID: d7ee10d779d6ceeaeb4f1c5bb198fc69c0e0cc804bc1dafb11872851e4e97629
Opcode Fuzzy Hash: e86b18665a4bdf31cc057cf1c31a587378f94330616856d14cc34fbd88c18663
Instruction Fuzzy Hash: 7DC1A374E00258CFDB64DFA5D984BADBBB2FF89304F2080A9D409AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 063775F0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 063776BB

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d610f3243421bacdbfcb43ef15af88a795cb0212dea73fafbec551ad55d66095
Instruction ID: bf4adfb871919012bd88fee8d8ec8c6cee225239b9070bd5881245352550b61d
Opcode Fuzzy Hash: d610f3243421bacdbfcb43ef15af88a795cb0212dea73fafbec551ad55d66095
Instruction Fuzzy Hash: 6AC1A274E00218CFDB64DFA5D944BADBBB2FF89304F2080A9D409AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06375BE0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06375CAB

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ffcd1fdff51a3f11580fd364afdd82f3baec76cf67bdb4015da585b440f0645a
Instruction ID: 7a8ceb3bac690560142987664e4a59067c273202ec46c3075a1025c537cb3129
Opcode Fuzzy Hash: ffcd1fdff51a3f11580fd364afdd82f3baec76cf67bdb4015da585b440f0645a
Instruction Fuzzy Hash: 51C1A374E00218CFDB64DFA5D994BADBBB2FF89304F2080A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0637F3E0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637F4AB

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4be6a489cc517d113d5dea017808cb1906e8a558d774ebd9df0490ff3d2e69db
Instruction ID: 3034109d4018d321868c85dfa03e036ea34ce918d426ace5549ed25c1c09b716
Opcode Fuzzy Hash: 4be6a489cc517d113d5dea017808cb1906e8a558d774ebd9df0490ff3d2e69db
Instruction Fuzzy Hash: 93C1B378E00258CFDB64DFA5D994BADBBB2FF89304F2080A9D409AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 063741D0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637429B

Part of subcall function 06372AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fda9f95d61184e6984259ceaa3558ae192622519ee1967d8f75816eeaf9b1605
Instruction ID: f46dfe92f3d646bb039ce8fdf330d5cf3eef09853e2958d85edc5cb71c3c5ab6
Opcode Fuzzy Hash: fda9f95d61184e6984259ceaa3558ae192622519ee1967d8f75816eeaf9b1605
Instruction Fuzzy Hash: 2CC1A378E00218CFDB64DFA5D984B9DBBB2FF89304F2081A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B4E758 Relevance: 1.7, Strings: 1, Instructions: 475COMMON

Download Yara Rule

Strings

D08l, xrefs: 02B4E8BB

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID: D08l
API String ID: 0-1120035950
Opcode ID: ed7f2f6a119aaa9c705911edf4f2bd5d98a5794ee3aa004d37106c38dc579f66
Instruction ID: 01919f14f290e45d9279fbaf9d68f4ef01b665628f4f02d420c47c07db421a03
Opcode Fuzzy Hash: ed7f2f6a119aaa9c705911edf4f2bd5d98a5794ee3aa004d37106c38dc579f66
Instruction Fuzzy Hash: 4F123574E042188FDB24DFA4C8947ADBBB2FF89304F2081AAD509AB395DB359D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 063775E0 Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 063776BB

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f6f8a1a137cce334b0c309dd9b65772f2163b13cb784c9d02dbee619bc1bcd15
Instruction ID: 6aa11de0d54f3b317d23b4e6b7a4395b88d586bb81991e91d495ee6af51c18e7
Opcode Fuzzy Hash: f6f8a1a137cce334b0c309dd9b65772f2163b13cb784c9d02dbee619bc1bcd15
Instruction Fuzzy Hash: 33415975E05288CFDB15CFBAD8406DDBBB2EF8A304F24C16AC418AB255DB39590ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 063782E8 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 063783C3

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 460ef86c1d9717ae19094defbe4c406164ab538374066f97e77ecc2e5a3b87b9
Instruction ID: 71c53c2b54c93290f68e745704bf45dfc0d093f28db1a041afdda1b3551f1908
Opcode Fuzzy Hash: 460ef86c1d9717ae19094defbe4c406164ab538374066f97e77ecc2e5a3b87b9
Instruction Fuzzy Hash: AC41E474E00248DBEB58DFAAC8446EEFBB2AF89304F24D13AC415BB254DB385946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06373D68 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06373E43

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3ae749a861680b76dedb03695c53e88511335c108e3f1c80270d823a0478b110
Instruction ID: dae786bb209d51029d9781b09f22b636ac97f49561918cd69905e4dd7d6df109
Opcode Fuzzy Hash: 3ae749a861680b76dedb03695c53e88511335c108e3f1c80270d823a0478b110
Instruction Fuzzy Hash: E641F374E012088BEB58DFAAD8446DEFBF2EF89304F24D12AC418BB255DB395906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0637F828 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637F903

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3187b002b9768daa9684186a0cbac1f516c06b322beeadee7748b97faefafe15
Instruction ID: 3189b169f92975d30bdc0ead13cd3b11e326e7a1d6ea57c619e4d52f90482650
Opcode Fuzzy Hash: 3187b002b9768daa9684186a0cbac1f516c06b322beeadee7748b97faefafe15
Instruction Fuzzy Hash: D341E570E01248DBDB58DFAAD8946EEFBB2BF89304F20C12AC414AB354DB395906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 063734B8 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06373593

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 08118a225aaa0756a1a03a0a64dc57788d556c0af302a817f8d0b0f962de3517
Instruction ID: d85e57ee9f0c957ccf5886ea000b1b68542e4664562405931776626409904333
Opcode Fuzzy Hash: 08118a225aaa0756a1a03a0a64dc57788d556c0af302a817f8d0b0f962de3517
Instruction Fuzzy Hash: 5E41D274E01248DBEB58DFAAD9446DEFBB2AF89304F24C12AC414BB254DB395946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06377E90 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06377F6B

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b0d9ec1ae534dfa657a7db9a7370eddb6d246c46e9a7aad21597d7e0a493e966
Instruction ID: c50d3a7bf9d094a0809a9ea60497206faf31386d5843f89aa540f6ec7280f509
Opcode Fuzzy Hash: b0d9ec1ae534dfa657a7db9a7370eddb6d246c46e9a7aad21597d7e0a493e966
Instruction Fuzzy Hash: 0A41D574E002088BDB58DFA6D9846DEFBF2AF89300F20C12AC418BB358DB395906CF50

Uniqueness

Uniqueness Score: -1.00%

Function 063768D8 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 063769B3

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0e1afaf5eacd80bf64631b4344aac2383c3383db8757b177cdf614c9d4120cb0
Instruction ID: 2b3a5980e2d0e7c9fd7e4b1ff0b9d0d9ab2651a1b40e9e041f5bfab57510cc7f
Opcode Fuzzy Hash: 0e1afaf5eacd80bf64631b4344aac2383c3383db8757b177cdf614c9d4120cb0
Instruction Fuzzy Hash: 5741F370E00608CBDB58DFAAD8556DEFBB2EF89300F24C12AC418BB658DB385946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0637E6C8 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637E7A3

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6d93a9b7fc0622abae85765fa193940a8096806fe369fb6058fe41d2b11e49b5
Instruction ID: 403a1b2d6d8ecfbb6746832380ae24bd60f7009c8f2795a3e8fc976b8359dfd1
Opcode Fuzzy Hash: 6d93a9b7fc0622abae85765fa193940a8096806fe369fb6058fe41d2b11e49b5
Instruction Fuzzy Hash: 3541D274E052488BDB58DFAAD8946DEFBB2EF89300F24C16AC414BB354DB39594ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 0637EF79 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637F053

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c55008aa5c3f91e9e43001bc1849fd373531e9d7cc4444b33f9fe55e6725df89
Instruction ID: 77510cd5840f4ff1418a2b7fb168f678e3b8cc9b16b5d38fbc8b27b8c899a015
Opcode Fuzzy Hash: c55008aa5c3f91e9e43001bc1849fd373531e9d7cc4444b33f9fe55e6725df89
Instruction Fuzzy Hash: 4241B275E012488BEB58DFA6D9946AEFBB2EF89300F24C12AC414AB354DB395946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06377188 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06377263

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 17a6428672595e0d7e93b117d7008757fe008520b5c9b83041a443b443202d80
Instruction ID: 44e81603a8dff87936e598d15ddfc811fd88a383142b97047eaa3eb270ddb035
Opcode Fuzzy Hash: 17a6428672595e0d7e93b117d7008757fe008520b5c9b83041a443b443202d80
Instruction Fuzzy Hash: 0D41E474E012488BDB58DFAAD8546DEFBF2AF89304F60C12AD418BB354DB385946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06375BD0 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06375CAB

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6836a38aba3d899d83e12967844b1badecfccb00ed02fada0a65a0a36c8634e2
Instruction ID: 05760f7829cc07db24d2c2c03f9effe1f3b1652b7d64af463038f90c566f2511
Opcode Fuzzy Hash: 6836a38aba3d899d83e12967844b1badecfccb00ed02fada0a65a0a36c8634e2
Instruction Fuzzy Hash: 8941C275E01208CBEB58DFAAD9546DEFBF2AF89300F24C12AD418BB254DB395946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06374619 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 063746F3

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 77571057d68e02f088073ead0adb96965f4291baf20c3ea8124d3778c61dd332
Instruction ID: accacbab7f293ee8fb8e91482a990a82e38697a72eabb54d1a4160cb2e77fda4
Opcode Fuzzy Hash: 77571057d68e02f088073ead0adb96965f4291baf20c3ea8124d3778c61dd332
Instruction Fuzzy Hash: 4E41E574E012488BDB58DFAAD9446DEFBF2AF89304F20D12AC418BB355DB385946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0637EB20 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637EBFB

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 77ce9d7b0f46459308d95715ff742023f3288a964ab0e9465300aa136d77d89b
Instruction ID: b3db758d7d450006f36bd5cb71a23241e963dc97ebbaf4f869c0ff07200d22ff
Opcode Fuzzy Hash: 77ce9d7b0f46459308d95715ff742023f3288a964ab0e9465300aa136d77d89b
Instruction Fuzzy Hash: 8841F375E012088BEB18DFA6D9546DEFBF2AF89304F24C16AC418BB354DB385946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06375778 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06375853

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5460673a4c4cf2efb3a347b7f1874a825f59afecdf27f132d5f12a9d71f3eae5
Instruction ID: adbe52424c991b79774b838032045da93cd1e06664138083afa9725db876fe2e
Opcode Fuzzy Hash: 5460673a4c4cf2efb3a347b7f1874a825f59afecdf27f132d5f12a9d71f3eae5
Instruction Fuzzy Hash: 1B41D274E012488BDB58DFAAD8446EEFBB2EF89310F24C12AD419BB354DB395946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06378741 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637881B

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 44ee9f2b69a2d876bcfe790c365d90b3ae18bdebae2b5df1d0f07bd906219813
Instruction ID: 0e8adf3ff0461c399b92d1756bfee79a39bab05c5020d91b619af988bee2fd71
Opcode Fuzzy Hash: 44ee9f2b69a2d876bcfe790c365d90b3ae18bdebae2b5df1d0f07bd906219813
Instruction Fuzzy Hash: 4C41D1B5E012489BDB58DFAAD88469EFBB2EF89300F24C13AC419AB254DB395945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0637DDF0 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637DECB

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 36c8600307199cdb915861f7d7b7c3c7b53251836c5d06ee9e0383f5040c2565
Instruction ID: 1b338ddaf4a8e048b1bb40477c5ce125a1da43eea3091c53a7906fc49eb3034d
Opcode Fuzzy Hash: 36c8600307199cdb915861f7d7b7c3c7b53251836c5d06ee9e0383f5040c2565
Instruction Fuzzy Hash: 93410571D01248CBDB18DFAAD9546DEFBF2AF89300F24C16AC818BB255DB395946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0637F3D0 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637F4AB

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2f0b8ce456b6b60f827ef43290546cf83cd641205b7b8712735541a08eb06d6e
Instruction ID: a8238307f8d1b03292243b2fe9bd6fd9337c461c6751952cd9a8390bd9ec15fa
Opcode Fuzzy Hash: 2f0b8ce456b6b60f827ef43290546cf83cd641205b7b8712735541a08eb06d6e
Instruction Fuzzy Hash: F241D475D01248CBDB58DFAAD9546EEFBB2BF89304F24C12AC814BB254DB395946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06374EC8 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06374FA3

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d07fe4c79df5d3b79b553dc7d3c68ce5bc81263f777c537aaafdd173e36b8380
Instruction ID: 27d9fc6c14da9618baa3ab6f445ec680eec8a6b8266133a7610f47dfba0066da
Opcode Fuzzy Hash: d07fe4c79df5d3b79b553dc7d3c68ce5bc81263f777c537aaafdd173e36b8380
Instruction Fuzzy Hash: 1241E275E01208CBEB58DFAAD9506DEBBF2AF89304F20C12AC418BB255DB395946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06373910 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 063739EB

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5ffef092c870b066ad3d8fb3b2b5f8aa838af9063f83caa3364d9b3073d1c816
Instruction ID: 523231cbbf609bce81335c8db1efbd2a911b6d4ff0fdcb180efe82c7e49ac68a
Opcode Fuzzy Hash: 5ffef092c870b066ad3d8fb3b2b5f8aa838af9063f83caa3364d9b3073d1c816
Instruction Fuzzy Hash: 7D41D574D012488BEB58DFA6D8547DEFBB6AF89300F20C12AD818BB254DB385945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06377A3A Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06377B13

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f5ad67a448f0a4b8d947e6d7a7a08ffe72fcaf5a2746db2431fc951a4456f193
Instruction ID: 2912cfc2cff4bc0326cbdf9bac8c9c7d8b7f2eb70cda25cc08e45e5e7ab5cb95
Opcode Fuzzy Hash: f5ad67a448f0a4b8d947e6d7a7a08ffe72fcaf5a2746db2431fc951a4456f193
Instruction Fuzzy Hash: A941F274E012088FEB58DFAAD8446DEFBB2AF89300F20D12AC418BB354DB385946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06374A70 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06374B4B

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9899aa172bad87625e89be43df2ad26cc3be795f9688245b40c0139db3ff099d
Instruction ID: fb43567dc471f1e032c5b8d7aabe1d7dc8e0d391a3b834d61888d33950ba6404
Opcode Fuzzy Hash: 9899aa172bad87625e89be43df2ad26cc3be795f9688245b40c0139db3ff099d
Instruction Fuzzy Hash: 1341D274E012488BDB58DFAAD8446EEFBF2AF89304F20D12AC418BB359DB395945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06375321 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 063753FB

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 68148637f7b577ede37377283cd04f2260d938189f341baaabf45764c62f274e
Instruction ID: 67adbce485b33b643809093e469181cffd74de316588b546e78855fcb79a1532
Opcode Fuzzy Hash: 68148637f7b577ede37377283cd04f2260d938189f341baaabf45764c62f274e
Instruction Fuzzy Hash: 7141E274E01248CBDB58DFAAD8546EEFBB2AF89310F64D12AC418BB354DB394946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06376028 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06376103

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0f5fb60957bc9eb8cbb088470b1c47f5fd0fcd86c51cd5d8b722d490650bb0b4
Instruction ID: d2eee68507b57a19ba1e702c885af4324ce8a2cb3707cd6d8b2eef7e31369ae7
Opcode Fuzzy Hash: 0f5fb60957bc9eb8cbb088470b1c47f5fd0fcd86c51cd5d8b722d490650bb0b4
Instruction Fuzzy Hash: 2241F574D01648CBDB58DFAAD55569EFBB2AF89304F24C12AC818BB355DB384946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06376482 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637655B

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 04be8757563f3268f45724e5c1675ba267586ba9906fb01dc6f7417b6b44989e
Instruction ID: 708d6380787ace988c7a2eee1b8da302b4f76df82b90eb677b5f5e09811829f1
Opcode Fuzzy Hash: 04be8757563f3268f45724e5c1675ba267586ba9906fb01dc6f7417b6b44989e
Instruction Fuzzy Hash: DF41F574E01608DBDB18DFA6D9556DEFBB2AF89304F20C12AC418BB358DB385945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06376D36 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06376E0B

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e2ad9b7d94880c6a499fbd8f4aef6f4bbc2e74619793ec2a659a58f13a0c830c
Instruction ID: 2d1778bd6925f349b29afedd35e66095f8e90b8cdcc48b19cb3e2752d159ff11
Opcode Fuzzy Hash: e2ad9b7d94880c6a499fbd8f4aef6f4bbc2e74619793ec2a659a58f13a0c830c
Instruction Fuzzy Hash: 0D41E270E012088BDB18DFAAD9556EEFBB2AF89304F20D12AC418BB354DB395946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 063741C0 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637429B

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ae2be8011ca26f50179e1b51fffaca6aa8058ac36319affff15a1c3897c83394
Instruction ID: 15f08a3f3a12685737e35928af42ef77dc41e4413ca712297a754c61f36ee5cf
Opcode Fuzzy Hash: ae2be8011ca26f50179e1b51fffaca6aa8058ac36319affff15a1c3897c83394
Instruction Fuzzy Hash: CB41F5B5E012488FDB58DFAAD9546DEFBF2AF89304F20C12AC414BB255DB385945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06373062 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0637313B

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2dd40de508d11ec7aa93bdfae9f68609d1dcfaf3a6d48c1b5b0fed48dea01165
Instruction ID: d7de89b30fa88874c7d702a0d2691c9ec9bbb6c9dc97afed0f077acd6761cce4
Opcode Fuzzy Hash: 2dd40de508d11ec7aa93bdfae9f68609d1dcfaf3a6d48c1b5b0fed48dea01165
Instruction Fuzzy Hash: FD41E475E012488BEB58DFAAD5446DEFBB2AF89300F24C12AC418BB254DB394945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B46B88 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71b84300f6e9da51c83c6899922c444e44997882e5df4e45009367026311660
Instruction ID: 847f2c8b11106d7aab96b952003bff7b55b9e8a6d0e6dd340a168a4dd3c66eb6
Opcode Fuzzy Hash: b71b84300f6e9da51c83c6899922c444e44997882e5df4e45009367026311660
Instruction Fuzzy Hash: CCF1F374E012188FDB14DFA9C884B9DFBB2FF89304F2581A9D808AB355DB75A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B47200 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806162dcbb875d8c002ed1efa04e88f3075f6fec31e4a612b17c9833711ea6df
Instruction ID: 47a229a434a5d0db4b48cb2f9bbea75838a14d62c4c8eef3c0ea3523680b4ffb
Opcode Fuzzy Hash: 806162dcbb875d8c002ed1efa04e88f3075f6fec31e4a612b17c9833711ea6df
Instruction Fuzzy Hash: A2D1E378E00258CFDB24DFA5D885B9DBBB2FF89304F1080A9D809AB355DB355A85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B4FB30 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ab4292c7d35f0928d1220c7fe4441ccc09a72550c6e5ec781053e4a79897f9
Instruction ID: 96e89e6e12f1b19566edfa2fbdf91d9d2d8ffd4c8f98c67269d647a16373643a
Opcode Fuzzy Hash: 86ab4292c7d35f0928d1220c7fe4441ccc09a72550c6e5ec781053e4a79897f9
Instruction Fuzzy Hash: 03C1B378E00218CFDB54DFA5D984BADBBB2FF89304F2081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B4F280 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b907607d752288b25804181e5f339caf428d11fe3f0361f81dfa12af46f5820
Instruction ID: 85ff7e3856ecbe567df61b1a19ce7e76f4acc7a774bcc9830ecac1b94faa0647
Opcode Fuzzy Hash: 3b907607d752288b25804181e5f339caf428d11fe3f0361f81dfa12af46f5820
Instruction Fuzzy Hash: E6C1A274E00218CFDB64DFA5D994BADBBB2FF89304F2081A9D809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B47B08 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e746b306b5516142e3fc4878b3daf0b61c3d63927a66a2432f1806bdb5cc4d
Instruction ID: a06d6b286989389533809920e2a3c87a084a3b32a9a64dae8d015ebe79ffdef4
Opcode Fuzzy Hash: d6e746b306b5516142e3fc4878b3daf0b61c3d63927a66a2432f1806bdb5cc4d
Instruction Fuzzy Hash: 0CD1AF78E00258CFDB24DFA5D984BADBBB2FF89304F2081A9D809A7355DB355A85DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02B4EE28 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce6264c56765955114a89a43303247da27d90b60f3ca6f6afacd892d5b9aa77
Instruction ID: 7bc923ac8a2306847a1f9e1e867eed7565205c2464622d4cf97ffefd3a74c711
Opcode Fuzzy Hash: bce6264c56765955114a89a43303247da27d90b60f3ca6f6afacd892d5b9aa77
Instruction Fuzzy Hash: 1EC1B378E00218CFDB54DFA5D984BADBBB2FF89304F2081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B47F68 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1210fde09c140a29badd9ced4c12c53dec4e6068ad2e1979ad841b5120157ca4
Instruction ID: f9490f268f84b2fe66ea2c198a2b0ad0ccafe9e84bf87d70da45a6a169a028e1
Opcode Fuzzy Hash: 1210fde09c140a29badd9ced4c12c53dec4e6068ad2e1979ad841b5120157ca4
Instruction Fuzzy Hash: 4DD19178E00258CFDB24DFA5D994BADBBB2FF89304F2081A9D809A7354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B476A8 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324e277039041924c4da11e0c374245b2bff1e333b761cdc2dbd03d34e2360a7
Instruction ID: 5f2376629ef62b2632e61ab34db87dc4d6e8bf5cb08fee16129db01dfdb62481
Opcode Fuzzy Hash: 324e277039041924c4da11e0c374245b2bff1e333b761cdc2dbd03d34e2360a7
Instruction Fuzzy Hash: 82C19F78E00258CFDB14DFA5D984BADBBB2FF89304F2081AAD809A7354DB355A85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B4F6D8 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb86ea3a5f4b6575f632e1b1b89035ae07b3a9df97d8cdf825aa9737edcba205
Instruction ID: d4b3aeba9466ba4fcc72e5b62ca4a4146cb313e539e9b8ac16c9538c184502bf
Opcode Fuzzy Hash: eb86ea3a5f4b6575f632e1b1b89035ae07b3a9df97d8cdf825aa9737edcba205
Instruction Fuzzy Hash: 61C1B174E00218CFDB64DFA5D984BADBBB2FF89304F2080A9D809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B466E8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4357cca4a187fa53ad9b6ea7220b16384f5be56d92c7600f5959ea33dda339
Instruction ID: 49b491faf041b3968388f0a544ca16978c040752b83137e82845898543188e4f
Opcode Fuzzy Hash: 4b4357cca4a187fa53ad9b6ea7220b16384f5be56d92c7600f5959ea33dda339
Instruction Fuzzy Hash: 73A10474D00208DFDB14DFA9C889BEDBBB1FF89304F209269E508AB291DB759985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B466F8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad316d29532c4d8e0119fb6185ae043734fb253ef9716f390380e2b66e80f0c8
Instruction ID: bbe3c9668be338191339fe374b9d1cf706008ac17b7ea9f6f1ebd84971c505eb
Opcode Fuzzy Hash: ad316d29532c4d8e0119fb6185ae043734fb253ef9716f390380e2b66e80f0c8
Instruction Fuzzy Hash: 1FA10474D00208DFDB24DFA9C889BEDBBB1FF89304F209269E508AB291DB755985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B46A3E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62b5db42493f9e74f5d196778334d1e3311977269ea9e737e6d6fc91a33130c
Instruction ID: 9c817b5cdf54be442f9e535c10fa4d3b566f955b970f9562708c908df33f21a5
Opcode Fuzzy Hash: f62b5db42493f9e74f5d196778334d1e3311977269ea9e737e6d6fc91a33130c
Instruction Fuzzy Hash: 03912574D00608DFDB14DFA8C489BEDBBB5FF49304F2092AAE509AB291DB719985CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02B43450 Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02B43506

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b6f0d53f4f496a18f6f7871467f83208cb6e890d8d820fe2140e0373204c3b31
Instruction ID: 6c9c70b7889b6845f76795ca39fb9b881a1290bf44760521c3ec9a439d5bb239
Opcode Fuzzy Hash: b6f0d53f4f496a18f6f7871467f83208cb6e890d8d820fe2140e0373204c3b31
Instruction Fuzzy Hash: C151F03943160AEFC2202B61BAAE17EBFB6FF5F7137417C10B20A818958FB4004ADA15

Uniqueness

Uniqueness Score: -1.00%

Function 02B43460 Relevance: 1.7, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02B43506

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b2ed1c3be6c9d3315887ec6152e6e41d09eeae60f29ff8d1efdae468c3b3127b
Instruction ID: fab8cfb96215c4503d73af862f063ab67b439225a48bcd4e9f661cd29b2f6df3
Opcode Fuzzy Hash: b2ed1c3be6c9d3315887ec6152e6e41d09eeae60f29ff8d1efdae468c3b3127b
Instruction Fuzzy Hash: 0251EF3943164AEFC6203B61BAAE17EBFB6FF5F713741BC10B20A908949FB40049DA55

Uniqueness

Uniqueness Score: -1.00%

Function 06372AD8 Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06372C3A

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bdb6434c0583dad3d07e47fe0c5bbc8feb706ddfcacb353e9f4baaa139c87318
Instruction ID: f3794ed8a039618e6aaac672543b05109d6838de2a82c14ee168d5c8488821ba
Opcode Fuzzy Hash: bdb6434c0583dad3d07e47fe0c5bbc8feb706ddfcacb353e9f4baaa139c87318
Instruction Fuzzy Hash: 5851F4B4D01218DFDB18DFAAD8846DEBBB2FF88310F10C129D414AB294DB789949CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06372C73 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db0fa314529a9b4b529276f492bcf0a6199b8c7d2be9aad213e00157c94b28b
Instruction ID: 37b5b50428ee42a1348284958b1383e55ca67955d0065007eee0ed508e9bab48
Opcode Fuzzy Hash: 5db0fa314529a9b4b529276f492bcf0a6199b8c7d2be9aad213e00157c94b28b
Instruction Fuzzy Hash: 66510074D05208CFDB64CFA9D4846DEBBB5FF49311F209129E425BB290D7389A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06372F2C Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb8bab41164a5003c2f78c5c8d9a8ea219efb053aad4c04a907a05cd8bb18d8
Instruction ID: 6b5adf1e33b7bd23b2f68b89dae30fc98e84df2ea5583ab365a311bbbaf630cb
Opcode Fuzzy Hash: 4bb8bab41164a5003c2f78c5c8d9a8ea219efb053aad4c04a907a05cd8bb18d8
Instruction Fuzzy Hash: 7F414D74904109CFDB64CFA8D4C0AEEF7F6BF48304F259158D449AB685C735AA86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06372D81 Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06372DE1

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2fb5d818f4d151665ed5f8875f6757716a78b8d7eb2e46d681cefd5c623d9a01
Instruction ID: 09f71d1b1a19c8e509dbfa74732998631de8c911fb5cf8aec8aacbeb9bb56c76
Opcode Fuzzy Hash: 2fb5d818f4d151665ed5f8875f6757716a78b8d7eb2e46d681cefd5c623d9a01
Instruction Fuzzy Hash: 57415B74D00108DFDB24CFA9C5C4ADEFBB2BF88314F259159D40467685CB35AA9ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 06372ECC Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7267fb9c3455edd3ef507ac7bcfd63d4fd143c05498af725399310f59addc57
Instruction ID: 4a9aca586d5160442a89f5490d8ceaedf92a5136ae4c7dd1bdcaece984f01292
Opcode Fuzzy Hash: f7267fb9c3455edd3ef507ac7bcfd63d4fd143c05498af725399310f59addc57
Instruction Fuzzy Hash: 29412474D14109CFDB64CFA8D084AEEF7B6FF48314F259158E409A7681C739AA86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FED404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617403627.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fed000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3831bb5dbd2956a64af3b17faaaea3e7436b294970ebeec40815eabfffaf85e8
Instruction ID: 80c930bd3f32cb6a61cbb1fd48172dc4de5aee81760dddac0d1ed7f53b3a9728
Opcode Fuzzy Hash: 3831bb5dbd2956a64af3b17faaaea3e7436b294970ebeec40815eabfffaf85e8
Instruction Fuzzy Hash: 49213A72504284DFDF15DF10D8C0F1ABF65FBA4324F24C569E9054B686C336E845EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617435910.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ffd000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcda723ac87b3f6d542a226207f35ca4f346662c4ec8290dd2ebd299b27105e
Instruction ID: 0cc6355ddb54345d6402dbc7bb2b73083c0ff06ca503f18292825d7c049e4b6e
Opcode Fuzzy Hash: abcda723ac87b3f6d542a226207f35ca4f346662c4ec8290dd2ebd299b27105e
Instruction Fuzzy Hash: 86210772604248DFDB14DF14D8C0B26BB66FF84324F24C569EA094B25ACB3AD847EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617435910.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ffd000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092171f421b2f843005b370d8f0b843ebb192614a8809dae03d847ef27058168
Instruction ID: 3f22b8be76d0bcc1b65ed765c3f398d56c825dc54a174212629b8a91888275cc
Opcode Fuzzy Hash: 092171f421b2f843005b370d8f0b843ebb192614a8809dae03d847ef27058168
Instruction Fuzzy Hash: 8D2180755093C48FCB02CF20D990715BF71EF46324F28C5EAD9498B6A7C33A980ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FED3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617403627.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fed000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
Instruction ID: ec92b3f52aede6b971593ecc7497c367d841fc163e5ee38e5712711a3b9e05a2
Opcode Fuzzy Hash: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
Instruction Fuzzy Hash: 2C11B176904284DFCB16CF10D9C4B16BF71FB94324F24C6A9D8050BA56C33AE85ADBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B44AA8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c0e38f85855436137e8722bf55ad6485088d0beeb6fa3efc600d625931c7ed
Instruction ID: 98aeee6fe67224856f61d0a54d3cef8557439beafd04a8ec9833318bc6dc6e93
Opcode Fuzzy Hash: 51c0e38f85855436137e8722bf55ad6485088d0beeb6fa3efc600d625931c7ed
Instruction Fuzzy Hash: 69529A74E002688FDB64DF65C884BADBBB2BF89304F1085EAD509AB354DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0637C020 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811655697ae041e42bb49ee59d262964c8abfdecf962f4daa780f5841da3b958
Instruction ID: 1f839f8c3437b4a3b1e134182d803d2043a15b206061b16f757fd4095999cc66
Opcode Fuzzy Hash: 811655697ae041e42bb49ee59d262964c8abfdecf962f4daa780f5841da3b958
Instruction Fuzzy Hash: 60B1A874E00218CFDB54DFA9D884A9DBBF2FF89314F1181AAD819AB365DB34A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B450DB Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2653f56b42b109e3dc34e9de5c1b8c9b2cda222e84be5cee9ec5e1c253784f7
Instruction ID: 3cd493a163daddc79ca8224057173f8d7eca5473ed0e2d84e218b214255ae569
Opcode Fuzzy Hash: b2653f56b42b109e3dc34e9de5c1b8c9b2cda222e84be5cee9ec5e1c253784f7
Instruction Fuzzy Hash: CFA1BF74A01268DFDB64DF64C894B99BBB2BF4A301F5085EAD80DA7354DB319E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0637C00F Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6bfa02db5c5caa93be6def33a4392091f19002a447c0df8548e8356382c0987
Instruction ID: 762b6467b85314eeaf1f0d42b8d9c1ddd223ad0ce5f26148aef1e99b70b7fc79
Opcode Fuzzy Hash: c6bfa02db5c5caa93be6def33a4392091f19002a447c0df8548e8356382c0987
Instruction Fuzzy Hash: 61519975E00608CFDB54DFAAD884A9DBBF2FF89300F14916AD419AB365DB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B452BC Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.617754919.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b40000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b579ee3a4eeeccbece4a428f04198e2eefa2390eefffeb2160a9274e7823e6d
Instruction ID: a9e92ce39d874ca6c42497d2901717d0ed805c7d3e96c866c2c78c6ee1038e02
Opcode Fuzzy Hash: 5b579ee3a4eeeccbece4a428f04198e2eefa2390eefffeb2160a9274e7823e6d
Instruction Fuzzy Hash: 76519274A01228DFCB64DF24D894BE9B7B2BF4A305F5095E9E80AA7354DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0637C336 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.619277522.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_t40mINaB76.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0e34beff8db7fb46c9ab795620371a16be6ea153d5d8243b7428139328541a
Instruction ID: 04905e841e52d63dd29d2c9d6b947a0bd19653d44581f61cf7314c58adac8721
Opcode Fuzzy Hash: 7f0e34beff8db7fb46c9ab795620371a16be6ea153d5d8243b7428139328541a
Instruction Fuzzy Hash: 63D09E34D142588BCB20DFA4D9903ADB776BB87300F0121D5851DB3210DB309E549F86

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report t40mINaB76.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\t40mINaB76.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
t40mINaB76.exe

Function 00EAB020 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Function 00EAB030 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 00EA8D30 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 00EAF54D Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Function 00EAF558 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 00EAB253 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00EAB258 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 00EA9190 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Function 00EA8800 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 00EA782B Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 00EA8F10 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 00EAF7A0 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 02B45587 Relevance: 2.1, APIs: 1, Instructions: 634
libraryCOMMON

Function 02B483C9 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Function 02B46111 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Function 06374628 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre