Edit tour

Windows Analysis Report
HvAnUIF17C.exe

Overview

General Information

Sample Name:	HvAnUIF17C.exe
Analysis ID:	652386
MD5:	515bae8e826da0259aea4c4f3f05a654
SHA1:	b17e6b0aecf3c98bf27c6d3c03411007c964a35b
SHA256:	1f446fcfd533aab46514bc919c327c75e9dae84d6086777beeed532cdb787c85
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AntiVM3

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Contains functionality to detect virtual machines (SLDT)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

HvAnUIF17C.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\HvAnUIF17C.exe" MD5: 515BAE8E826DA0259AEA4C4F3F05A654)

HvAnUIF17C.exe (PID: 3120 cmdline: C:\Users\user\Desktop\HvAnUIF17C.exe MD5: 515BAE8E826DA0259AEA4C4F3F05A654)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Token": "5125489580:AAG9rJipU-Qp9bVmgyzvimlz5gpATRgg5qo", "Telegram ID": "5149913163"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18570:$x1: $%SMTPDV$ 0x17232:$x2: $#TheHashHere%& 0x18518:$x3: %FTPDV$ 0x17214:$x4: $%TelegramDv$ 0x14b95:$x5: KeyLoggerEventArgs 0x14f2b:$x5: KeyLoggerEventArgs 0x1859c:$m1: \| Snake Keylogger 0x18642:$m1: \| Snake Keylogger 0x18796:$m1: \| Snake Keylogger 0x188bc:$m1: \| Snake Keylogger 0x18a16:$m1: \| Snake Keylogger 0x1853c:$m2: Clipboard Logs ID 0x1874c:$m2: Screenshot Logs ID 0x18860:$m2: keystroke Logs ID 0x18a4c:$m3: SnakePW 0x18724:$m4: \SnakeKeylogger\
00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18570:$x1: $%SMTPDV$ 0x17232:$x2: $#TheHashHere%& 0x18518:$x3: %FTPDV$ 0x17214:$x4: $%TelegramDv$ 0x14b95:$x5: KeyLoggerEventArgs 0x14f2b:$x5: KeyLoggerEventArgs 0x1859c:$m1: \| Snake Keylogger 0x18642:$m1: \| Snake Keylogger 0x18796:$m1: \| Snake Keylogger 0x188bc:$m1: \| Snake Keylogger 0x18a16:$m1: \| Snake Keylogger 0x1853c:$m2: Clipboard Logs ID 0x1874c:$m2: Screenshot Logs ID 0x18860:$m2: keystroke Logs ID 0x18a4c:$m3: SnakePW 0x18724:$m4: \SnakeKeylogger\
00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18570:$x1: $%SMTPDV$ 0x17232:$x2: $#TheHashHere%& 0x18518:$x3: %FTPDV$ 0x17214:$x4: $%TelegramDv$ 0x14b95:$x5: KeyLoggerEventArgs 0x14f2b:$x5: KeyLoggerEventArgs 0x1859c:$m1: \| Snake Keylogger 0x18642:$m1: \| Snake Keylogger 0x18796:$m1: \| Snake Keylogger 0x188bc:$m1: \| Snake Keylogger 0x18a16:$m1: \| Snake Keylogger 0x1853c:$m2: Clipboard Logs ID 0x1874c:$m2: Screenshot Logs ID 0x18860:$m2: keystroke Logs ID 0x18a4c:$m3: SnakePW 0x18724:$m4: \SnakeKeylogger\
00000000.00000002.278554759.000000000333B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18570:$x1: $%SMTPDV$ 0x17232:$x2: $#TheHashHere%& 0x18518:$x3: %FTPDV$ 0x17214:$x4: $%TelegramDv$ 0x14b95:$x5: KeyLoggerEventArgs 0x14f2b:$x5: KeyLoggerEventArgs 0x1859c:$m1: \| Snake Keylogger 0x18642:$m1: \| Snake Keylogger 0x18796:$m1: \| Snake Keylogger 0x188bc:$m1: \| Snake Keylogger 0x18a16:$m1: \| Snake Keylogger 0x1853c:$m2: Clipboard Logs ID 0x1874c:$m2: Screenshot Logs ID 0x18860:$m2: keystroke Logs ID 0x18a4c:$m3: SnakePW 0x18724:$m4: \SnakeKeylogger\
00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18570:$x1: $%SMTPDV$ 0x17232:$x2: $#TheHashHere%& 0x18518:$x3: %FTPDV$ 0x17214:$x4: $%TelegramDv$ 0x14b95:$x5: KeyLoggerEventArgs 0x14f2b:$x5: KeyLoggerEventArgs 0x1859c:$m1: \| Snake Keylogger 0x18642:$m1: \| Snake Keylogger 0x18796:$m1: \| Snake Keylogger 0x188bc:$m1: \| Snake Keylogger 0x18a16:$m1: \| Snake Keylogger 0x1853c:$m2: Clipboard Logs ID 0x1874c:$m2: Screenshot Logs ID 0x18860:$m2: keystroke Logs ID 0x18a4c:$m3: SnakePW 0x18724:$m4: \SnakeKeylogger\
00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x113530:$x1: $%SMTPDV$ 0x132d50:$x1: $%SMTPDV$ 0x152370:$x1: $%SMTPDV$ 0x1121f2:$x2: $#TheHashHere%& 0x131a12:$x2: $#TheHashHere%& 0x151032:$x2: $#TheHashHere%& 0x1134d8:$x3: %FTPDV$ 0x132cf8:$x3: %FTPDV$ 0x152318:$x3: %FTPDV$ 0x1121d4:$x4: $%TelegramDv$ 0x1319f4:$x4: $%TelegramDv$ 0x151014:$x4: $%TelegramDv$ 0x10fb55:$x5: KeyLoggerEventArgs 0x10feeb:$x5: KeyLoggerEventArgs 0x12f375:$x5: KeyLoggerEventArgs 0x12f70b:$x5: KeyLoggerEventArgs 0x14e995:$x5: KeyLoggerEventArgs 0x14ed2b:$x5: KeyLoggerEventArgs 0x11355c:$m1: \| Snake Keylogger 0x113602:$m1: \| Snake Keylogger 0x113756:$m1: \| Snake Keylogger
00000000.00000002.278443910.0000000003291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HvAnUIF17C.exe PID: 5684	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HvAnUIF17C.exe PID: 5684	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HvAnUIF17C.exe PID: 5684	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HvAnUIF17C.exe PID: 5684	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x50b70:$x5: KeyLoggerEventArgs 0x50d7e:$x5: KeyLoggerEventArgs 0x516d4:$x5: KeyLoggerEventArgs 0x51a35:$x5: KeyLoggerEventArgs 0x52e24:$m1: \| Snake Keylogger 0x52e73:$m1: \| Snake Keylogger 0x52f07:$m1: \| Snake Keylogger 0x52f68:$m1: \| Snake Keylogger 0x52fdd:$m1: \| Snake Keylogger 0x52df3:$m2: Clipboard Logs ID 0x52ee2:$m2: Screenshot Logs ID 0x52f3a:$m2: keystroke Logs ID 0x52ff8:$m3: SnakePW 0x52ece:$m4: \SnakeKeylogger\
Process Memory Space: HvAnUIF17C.exe PID: 3120	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HvAnUIF17C.exe PID: 3120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HvAnUIF17C.exe PID: 3120	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4519:$x5: KeyLoggerEventArgs 0x48af:$x5: KeyLoggerEventArgs 0x53d5:$x5: KeyLoggerEventArgs 0x5736:$x5: KeyLoggerEventArgs 0x6bdf:$m1: \| Snake Keylogger 0x6c2e:$m1: \| Snake Keylogger 0x6cc2:$m1: \| Snake Keylogger 0x6d23:$m1: \| Snake Keylogger 0x6d98:$m1: \| Snake Keylogger 0x6bae:$m2: Clipboard Logs ID 0x6c9d:$m2: Screenshot Logs ID 0x6cf5:$m2: keystroke Logs ID 0x6db3:$m3: SnakePW 0x6c89:$m4: \SnakeKeylogger\
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.HvAnUIF17C.exe.400000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b070:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a259:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a6a0:$a4: \Orbitum\User Data\Default\Login Data 0x1b821:$a5: \Kometa\User Data\Default\Login Data
4.0.HvAnUIF17C.exe.400000.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.0.HvAnUIF17C.exe.400000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.0.HvAnUIF17C.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.HvAnUIF17C.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.HvAnUIF17C.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14711:$s1: UnHook 0x14718:$s2: SetHook 0x14720:$s3: CallNextHook 0x1472d:$s4: _hook
4.0.HvAnUIF17C.exe.400000.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18770:$x1: $%SMTPDV$ 0x17432:$x2: $#TheHashHere%& 0x18718:$x3: %FTPDV$ 0x17414:$x4: $%TelegramDv$ 0x14d95:$x5: KeyLoggerEventArgs 0x1512b:$x5: KeyLoggerEventArgs 0x1879c:$m1: \| Snake Keylogger 0x18842:$m1: \| Snake Keylogger 0x18996:$m1: \| Snake Keylogger 0x18abc:$m1: \| Snake Keylogger 0x18c16:$m1: \| Snake Keylogger 0x1873c:$m2: Clipboard Logs ID 0x1894c:$m2: Screenshot Logs ID 0x18a60:$m2: keystroke Logs ID 0x18c4c:$m3: SnakePW 0x18924:$m4: \SnakeKeylogger\
4.0.HvAnUIF17C.exe.400000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b070:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a259:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a6a0:$a4: \Orbitum\User Data\Default\Login Data 0x1b821:$a5: \Kometa\User Data\Default\Login Data
4.0.HvAnUIF17C.exe.400000.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.0.HvAnUIF17C.exe.400000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.0.HvAnUIF17C.exe.400000.8.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.HvAnUIF17C.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.HvAnUIF17C.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14711:$s1: UnHook 0x14718:$s2: SetHook 0x14720:$s3: CallNextHook 0x1472d:$s4: _hook
4.0.HvAnUIF17C.exe.400000.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18770:$x1: $%SMTPDV$ 0x17432:$x2: $#TheHashHere%& 0x18718:$x3: %FTPDV$ 0x17414:$x4: $%TelegramDv$ 0x14d95:$x5: KeyLoggerEventArgs 0x1512b:$x5: KeyLoggerEventArgs 0x1879c:$m1: \| Snake Keylogger 0x18842:$m1: \| Snake Keylogger 0x18996:$m1: \| Snake Keylogger 0x18abc:$m1: \| Snake Keylogger 0x18c16:$m1: \| Snake Keylogger 0x1873c:$m2: Clipboard Logs ID 0x1894c:$m2: Screenshot Logs ID 0x18a60:$m2: keystroke Logs ID 0x18c4c:$m3: SnakePW 0x18924:$m4: \SnakeKeylogger\
4.2.HvAnUIF17C.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b070:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a259:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a6a0:$a4: \Orbitum\User Data\Default\Login Data 0x1b821:$a5: \Kometa\User Data\Default\Login Data
4.2.HvAnUIF17C.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.HvAnUIF17C.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.HvAnUIF17C.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.HvAnUIF17C.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.HvAnUIF17C.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14711:$s1: UnHook 0x14718:$s2: SetHook 0x14720:$s3: CallNextHook 0x1472d:$s4: _hook
4.2.HvAnUIF17C.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18770:$x1: $%SMTPDV$ 0x17432:$x2: $#TheHashHere%& 0x18718:$x3: %FTPDV$ 0x17414:$x4: $%TelegramDv$ 0x14d95:$x5: KeyLoggerEventArgs 0x1512b:$x5: KeyLoggerEventArgs 0x1879c:$m1: \| Snake Keylogger 0x18842:$m1: \| Snake Keylogger 0x18996:$m1: \| Snake Keylogger 0x18abc:$m1: \| Snake Keylogger 0x18c16:$m1: \| Snake Keylogger 0x1873c:$m2: Clipboard Logs ID 0x1894c:$m2: Screenshot Logs ID 0x18a60:$m2: keystroke Logs ID 0x18c4c:$m3: SnakePW 0x18924:$m4: \SnakeKeylogger\
4.0.HvAnUIF17C.exe.400000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b070:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a259:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a6a0:$a4: \Orbitum\User Data\Default\Login Data 0x1b821:$a5: \Kometa\User Data\Default\Login Data
4.0.HvAnUIF17C.exe.400000.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.0.HvAnUIF17C.exe.400000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.0.HvAnUIF17C.exe.400000.6.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.HvAnUIF17C.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.HvAnUIF17C.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14711:$s1: UnHook 0x14718:$s2: SetHook 0x14720:$s3: CallNextHook 0x1472d:$s4: _hook
4.0.HvAnUIF17C.exe.400000.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18770:$x1: $%SMTPDV$ 0x17432:$x2: $#TheHashHere%& 0x18718:$x3: %FTPDV$ 0x17414:$x4: $%TelegramDv$ 0x14d95:$x5: KeyLoggerEventArgs 0x1512b:$x5: KeyLoggerEventArgs 0x1879c:$m1: \| Snake Keylogger 0x18842:$m1: \| Snake Keylogger 0x18996:$m1: \| Snake Keylogger 0x18abc:$m1: \| Snake Keylogger 0x18c16:$m1: \| Snake Keylogger 0x1873c:$m2: Clipboard Logs ID 0x1894c:$m2: Screenshot Logs ID 0x18a60:$m2: keystroke Logs ID 0x18c4c:$m3: SnakePW 0x18924:$m4: \SnakeKeylogger\
4.0.HvAnUIF17C.exe.400000.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b070:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a259:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a6a0:$a4: \Orbitum\User Data\Default\Login Data 0x1b821:$a5: \Kometa\User Data\Default\Login Data
4.0.HvAnUIF17C.exe.400000.10.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.0.HvAnUIF17C.exe.400000.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.0.HvAnUIF17C.exe.400000.10.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.HvAnUIF17C.exe.400000.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.HvAnUIF17C.exe.400000.10.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14711:$s1: UnHook 0x14718:$s2: SetHook 0x14720:$s3: CallNextHook 0x1472d:$s4: _hook
4.0.HvAnUIF17C.exe.400000.10.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18770:$x1: $%SMTPDV$ 0x17432:$x2: $#TheHashHere%& 0x18718:$x3: %FTPDV$ 0x17414:$x4: $%TelegramDv$ 0x14d95:$x5: KeyLoggerEventArgs 0x1512b:$x5: KeyLoggerEventArgs 0x1879c:$m1: \| Snake Keylogger 0x18842:$m1: \| Snake Keylogger 0x18996:$m1: \| Snake Keylogger 0x18abc:$m1: \| Snake Keylogger 0x18c16:$m1: \| Snake Keylogger 0x1873c:$m2: Clipboard Logs ID 0x1894c:$m2: Screenshot Logs ID 0x18a60:$m2: keystroke Logs ID 0x18c4c:$m3: SnakePW 0x18924:$m4: \SnakeKeylogger\
0.2.HvAnUIF17C.exe.45d9dc0.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19270:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18459:$a3: \Google\Chrome\User Data\Default\Login Data 0x188a0:$a4: \Orbitum\User Data\Default\Login Data 0x19a21:$a5: \Kometa\User Data\Default\Login Data
0.2.HvAnUIF17C.exe.45d9dc0.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HvAnUIF17C.exe.45d9dc0.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.HvAnUIF17C.exe.45d9dc0.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HvAnUIF17C.exe.45d9dc0.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12911:$s1: UnHook 0x12918:$s2: SetHook 0x12920:$s3: CallNextHook 0x1292d:$s4: _hook
0.2.HvAnUIF17C.exe.45d9dc0.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16970:$x1: $%SMTPDV$ 0x15632:$x2: $#TheHashHere%& 0x16918:$x3: %FTPDV$ 0x15614:$x4: $%TelegramDv$ 0x12f95:$x5: KeyLoggerEventArgs 0x1332b:$x5: KeyLoggerEventArgs 0x1699c:$m1: \| Snake Keylogger 0x16a42:$m1: \| Snake Keylogger 0x16b96:$m1: \| Snake Keylogger 0x16cbc:$m1: \| Snake Keylogger 0x16e16:$m1: \| Snake Keylogger 0x1693c:$m2: Clipboard Logs ID 0x16b4c:$m2: Screenshot Logs ID 0x16c60:$m2: keystroke Logs ID 0x16e4c:$m3: SnakePW 0x16b24:$m4: \SnakeKeylogger\
4.0.HvAnUIF17C.exe.400000.12.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b070:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a259:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a6a0:$a4: \Orbitum\User Data\Default\Login Data 0x1b821:$a5: \Kometa\User Data\Default\Login Data
4.0.HvAnUIF17C.exe.400000.12.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.0.HvAnUIF17C.exe.400000.12.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.0.HvAnUIF17C.exe.400000.12.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.HvAnUIF17C.exe.400000.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.HvAnUIF17C.exe.400000.12.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14711:$s1: UnHook 0x14718:$s2: SetHook 0x14720:$s3: CallNextHook 0x1472d:$s4: _hook
4.0.HvAnUIF17C.exe.400000.12.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18770:$x1: $%SMTPDV$ 0x17432:$x2: $#TheHashHere%& 0x18718:$x3: %FTPDV$ 0x17414:$x4: $%TelegramDv$ 0x14d95:$x5: KeyLoggerEventArgs 0x1512b:$x5: KeyLoggerEventArgs 0x1879c:$m1: \| Snake Keylogger 0x18842:$m1: \| Snake Keylogger 0x18996:$m1: \| Snake Keylogger 0x18abc:$m1: \| Snake Keylogger 0x18c16:$m1: \| Snake Keylogger 0x1873c:$m2: Clipboard Logs ID 0x1894c:$m2: Screenshot Logs ID 0x18a60:$m2: keystroke Logs ID 0x18c4c:$m3: SnakePW 0x18924:$m4: \SnakeKeylogger\
0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b070:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a890:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x59eb0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a259:$a3: \Google\Chrome\User Data\Default\Login Data 0x39a79:$a3: \Google\Chrome\User Data\Default\Login Data 0x59099:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a6a0:$a4: \Orbitum\User Data\Default\Login Data 0x39ec0:$a4: \Orbitum\User Data\Default\Login Data 0x594e0:$a4: \Orbitum\User Data\Default\Login Data 0x1b821:$a5: \Kometa\User Data\Default\Login Data 0x3b041:$a5: \Kometa\User Data\Default\Login Data 0x5a661:$a5: \Kometa\User Data\Default\Login Data
0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14711:$s1: UnHook 0x33f31:$s1: UnHook 0x53551:$s1: UnHook 0x14718:$s2: SetHook 0x33f38:$s2: SetHook 0x53558:$s2: SetHook 0x14720:$s3: CallNextHook 0x33f40:$s3: CallNextHook 0x53560:$s3: CallNextHook 0x1472d:$s4: _hook 0x33f4d:$s4: _hook 0x5356d:$s4: _hook
0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18770:$x1: $%SMTPDV$ 0x37f90:$x1: $%SMTPDV$ 0x575b0:$x1: $%SMTPDV$ 0x17432:$x2: $#TheHashHere%& 0x36c52:$x2: $#TheHashHere%& 0x56272:$x2: $#TheHashHere%& 0x18718:$x3: %FTPDV$ 0x37f38:$x3: %FTPDV$ 0x57558:$x3: %FTPDV$ 0x17414:$x4: $%TelegramDv$ 0x36c34:$x4: $%TelegramDv$ 0x56254:$x4: $%TelegramDv$ 0x14d95:$x5: KeyLoggerEventArgs 0x1512b:$x5: KeyLoggerEventArgs 0x345b5:$x5: KeyLoggerEventArgs 0x3494b:$x5: KeyLoggerEventArgs 0x53bd5:$x5: KeyLoggerEventArgs 0x53f6b:$x5: KeyLoggerEventArgs 0x1879c:$m1: \| Snake Keylogger 0x18842:$m1: \| Snake Keylogger 0x18996:$m1: \| Snake Keylogger
0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa1331:$s1: UnHook 0xc0b51:$s1: UnHook 0xe0171:$s1: UnHook 0xa1338:$s2: SetHook 0xc0b58:$s2: SetHook 0xe0178:$s2: SetHook 0xa1340:$s3: CallNextHook 0xc0b60:$s3: CallNextHook 0xe0180:$s3: CallNextHook 0xa134d:$s4: _hook 0xc0b6d:$s4: _hook 0xe018d:$s4: _hook
0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa5390:$x1: $%SMTPDV$ 0xc4bb0:$x1: $%SMTPDV$ 0xe41d0:$x1: $%SMTPDV$ 0xa4052:$x2: $#TheHashHere%& 0xc3872:$x2: $#TheHashHere%& 0xe2e92:$x2: $#TheHashHere%& 0xa5338:$x3: %FTPDV$ 0xc4b58:$x3: %FTPDV$ 0xe4178:$x3: %FTPDV$ 0xa4034:$x4: $%TelegramDv$ 0xc3854:$x4: $%TelegramDv$ 0xe2e74:$x4: $%TelegramDv$ 0xa19b5:$x5: KeyLoggerEventArgs 0xa1d4b:$x5: KeyLoggerEventArgs 0xc11d5:$x5: KeyLoggerEventArgs 0xc156b:$x5: KeyLoggerEventArgs 0xe07f5:$x5: KeyLoggerEventArgs 0xe0b8b:$x5: KeyLoggerEventArgs 0xa53bc:$m1: \| Snake Keylogger 0xa5462:$m1: \| Snake Keylogger 0xa55b6:$m1: \| Snake Keylogger
0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x10e5a9:$s1: UnHook 0x12ddc9:$s1: UnHook 0x14d3e9:$s1: UnHook 0x10e5b0:$s2: SetHook 0x12ddd0:$s2: SetHook 0x14d3f0:$s2: SetHook 0x10e5b8:$s3: CallNextHook 0x12ddd8:$s3: CallNextHook 0x14d3f8:$s3: CallNextHook 0x10e5c5:$s4: _hook 0x12dde5:$s4: _hook 0x14d405:$s4: _hook
0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x112608:$x1: $%SMTPDV$ 0x131e28:$x1: $%SMTPDV$ 0x151448:$x1: $%SMTPDV$ 0x1112ca:$x2: $#TheHashHere%& 0x130aea:$x2: $#TheHashHere%& 0x15010a:$x2: $#TheHashHere%& 0x1125b0:$x3: %FTPDV$ 0x131dd0:$x3: %FTPDV$ 0x1513f0:$x3: %FTPDV$ 0x1112ac:$x4: $%TelegramDv$ 0x130acc:$x4: $%TelegramDv$ 0x1500ec:$x4: $%TelegramDv$ 0x10ec2d:$x5: KeyLoggerEventArgs 0x10efc3:$x5: KeyLoggerEventArgs 0x12e44d:$x5: KeyLoggerEventArgs 0x12e7e3:$x5: KeyLoggerEventArgs 0x14da6d:$x5: KeyLoggerEventArgs 0x14de03:$x5: KeyLoggerEventArgs 0x112634:$m1: \| Snake Keylogger 0x1126da:$m1: \| Snake Keylogger 0x11282e:$m1: \| Snake Keylogger
Click to see the 62 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.2.4 - Destination IP: 193.122.130.0

Timestamp:	192.168.2.4193.122.130.049760802842536 06/26/22-09:34:00.732371
SID:	2842536
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: HvAnUIF17C.exe	Virustotal: Detection: 35%			Perma Link
Source: HvAnUIF17C.exe	ReversingLabs: Detection: 50%

Machine Learning detection for sample

Source: HvAnUIF17C.exe

Joe Sandbox ML: detected

Source: 4.2.HvAnUIF17C.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 4.0.HvAnUIF17C.exe.400000.6.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 4.0.HvAnUIF17C.exe.400000.8.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 4.0.HvAnUIF17C.exe.400000.4.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 4.0.HvAnUIF17C.exe.400000.10.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 4.0.HvAnUIF17C.exe.400000.12.unpack	Avira: Label: TR/ATRAPS.Gen

Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "5125489580:AAG9rJipU-Qp9bVmgyzvimlz5gpATRgg5qo", "Telegram ID": "5149913163"}

Source: HvAnUIF17C.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: HvAnUIF17C.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018A63D1h	4_2_018A6111
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018A8687h	4_2_018A83C9
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018A7DC7h	4_2_018A7B08
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018AFDE9h	4_2_018AFB30
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018AF539h	4_2_018AF280
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018A7507h	4_2_018A7200
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018A5F70h	4_2_018A5587
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018AEC8Ah	4_2_018AE758
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018A8227h	4_2_018A7F68
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018A7967h	4_2_018A76A8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018AF991h	4_2_018AF6D8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018A6B10h	4_2_018A66F8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018AF0E1h	4_2_018AEE28
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_018A50DB
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_018A4AA8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_018A52BC
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018A6B10h	4_2_018A6A3E
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 018A6B10h	4_2_018A66E8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05AB0741h	4_2_05AB0498
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05AB02E9h	4_2_05AB0040
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05AB0B99h	4_2_05AB08F0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FCFAE1h	4_2_05FCF838
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FCF689h	4_2_05FCF3E0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FCF231h	4_2_05FCEF88
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FCEDD9h	4_2_05FCEB30
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FCE981h	4_2_05FCE6D8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FCE529h	4_2_05FCE280
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC7899h	4_2_05FC75F0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC4479h	4_2_05FC41D0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC7441h	4_2_05FC7198
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC4021h	4_2_05FC3D78
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC6FE9h	4_2_05FC6D40
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC3BC9h	4_2_05FC3920
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC6B91h	4_2_05FC68E8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC3771h	4_2_05FC34C8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC6739h	4_2_05FC6490
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC3319h	4_2_05FC3070
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC62E1h	4_2_05FC6038
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_05FCC020
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_05FCC00F
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4x nop then jmp 05FC5E89h	4_2_05FC5BE0

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.4:49760 -> 193.122.130.0:80

May check the online IP address of the machine

Source: C:\Users\user\Desktop\HvAnUIF17C.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	DNS query: name: checkip.dyndns.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US

Source: Joe Sandbox View

IP Address: 193.122.130.0 193.122.130.0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: HvAnUIF17C.exe, 00000004.00000002.511505410.0000000003556000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: HvAnUIF17C.exe, 00000004.00000002.511395073.0000000003549000.00000004.00000800.00020000.00000000.sdmp, HvAnUIF17C.exe, 00000004.00000002.511505410.0000000003556000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: HvAnUIF17C.exe, 00000004.00000002.511172584.00000000034B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: HvAnUIF17C.exe, 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, HvAnUIF17C.exe, 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: HvAnUIF17C.exe, 00000004.00000002.511395073.0000000003549000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org4
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: HvAnUIF17C.exe, 00000004.00000002.511172584.00000000034B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: HvAnUIF17C.exe, 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, HvAnUIF17C.exe, 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: HvAnUIF17C.exe PID: 5684, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: HvAnUIF17C.exe PID: 3120, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: HvAnUIF17C.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: HvAnUIF17C.exe PID: 5684, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: HvAnUIF17C.exe PID: 3120, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_00F1ACB3	0_2_00F1ACB3
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_00F1B2B4	0_2_00F1B2B4
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_00F1AA86	0_2_00F1AA86
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_00F1AE86	0_2_00F1AE86
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_00F1B086	0_2_00F1B086
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_00F1ABBB	0_2_00F1ABBB
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_00F1B186	0_2_00F1B186
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_00F1AF86	0_2_00F1AF86
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_018DC874	0_2_018DC874
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_018DECA8	0_2_018DECA8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 0_2_018DECB8	0_2_018DECB8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_00FEB2B4	4_2_00FEB2B4
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_00FEACB3	4_2_00FEACB3
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_00FEAA86	4_2_00FEAA86
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_00FEAE86	4_2_00FEAE86
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_00FEB086	4_2_00FEB086
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_00FEABBB	4_2_00FEABBB
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_00FEB186	4_2_00FEB186
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_00FEAF86	4_2_00FEAF86
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A6111	4_2_018A6111
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A6B88	4_2_018A6B88
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A83C9	4_2_018A83C9
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A7B08	4_2_018A7B08
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018AFB30	4_2_018AFB30
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018AF280	4_2_018AF280
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A7200	4_2_018A7200
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A5587	4_2_018A5587
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018AA45A	4_2_018AA45A
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018AE758	4_2_018AE758
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A7F68	4_2_018A7F68
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A76A8	4_2_018A76A8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018AF6D8	4_2_018AF6D8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018AEE28	4_2_018AEE28
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A6B78	4_2_018A6B78
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A4A98	4_2_018A4A98
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A4AA8	4_2_018A4AA8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A7248	4_2_018A7248
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018ADFD0	4_2_018ADFD0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018ADFE0	4_2_018ADFE0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB0498	4_2_05AB0498
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB0040	4_2_05AB0040
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB2398	4_2_05AB2398
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB4318	4_2_05AB4318
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB4FB0	4_2_05AB4FB0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB29E0	4_2_05AB29E0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB4968	4_2_05AB4968
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB08F0	4_2_05AB08F0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB16F8	4_2_05AB16F8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB3678	4_2_05AB3678
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB3028	4_2_05AB3028
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB1D48	4_2_05AB1D48
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB3CC8	4_2_05AB3CC8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB048B	4_2_05AB048B
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB0007	4_2_05AB0007
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB2388	4_2_05AB2388
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB4309	4_2_05AB4309
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB4F9F	4_2_05AB4F9F
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB29CF	4_2_05AB29CF
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB4959	4_2_05AB4959
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB08E0	4_2_05AB08E0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB16E9	4_2_05AB16E9
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB3668	4_2_05AB3668
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB3018	4_2_05AB3018
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB1D38	4_2_05AB1D38
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05AB3CB9	4_2_05AB3CB9
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCF838	4_2_05FCF838
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCF3E0	4_2_05FCF3E0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCEF88	4_2_05FCEF88
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCEB30	4_2_05FCEB30
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCE6D8	4_2_05FCE6D8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCE280	4_2_05FCE280
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC75F0	4_2_05FC75F0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCDDF0	4_2_05FCDDF0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC75E0	4_2_05FC75E0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC41D0	4_2_05FC41D0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC41C0	4_2_05FC41C0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC7198	4_2_05FC7198
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC7188	4_2_05FC7188
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC3D78	4_2_05FC3D78
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC3D68	4_2_05FC3D68
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC6D40	4_2_05FC6D40
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC6D36	4_2_05FC6D36
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC3920	4_2_05FC3920
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC3910	4_2_05FC3910
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC68E8	4_2_05FC68E8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC68D8	4_2_05FC68D8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC34C8	4_2_05FC34C8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC34B8	4_2_05FC34B8
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCD098	4_2_05FCD098
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC6490	4_2_05FC6490
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC6482	4_2_05FC6482
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC3070	4_2_05FC3070
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC3062	4_2_05FC3062
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC0040	4_2_05FC0040
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC6038	4_2_05FC6038
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC6028	4_2_05FC6028
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCF828	4_2_05FCF828
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCC020	4_2_05FCC020
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FCC00F	4_2_05FCC00F
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC0006	4_2_05FC0006
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC5BE0	4_2_05FC5BE0
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_05FC5BDA	4_2_05FC5BDA

Source: HvAnUIF17C.exe	Binary or memory string: OriginalFilename vs HvAnUIF17C.exe
Source: HvAnUIF17C.exe, 00000000.00000002.283477487.0000000007880000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeVariant.dll" vs HvAnUIF17C.exe
Source: HvAnUIF17C.exe, 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs HvAnUIF17C.exe
Source: HvAnUIF17C.exe, 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs HvAnUIF17C.exe
Source: HvAnUIF17C.exe, 00000000.00000002.283832387.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs HvAnUIF17C.exe
Source: HvAnUIF17C.exe, 00000000.00000002.283419478.00000000077E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCloneHelper.dll4 vs HvAnUIF17C.exe
Source: HvAnUIF17C.exe, 00000000.00000002.278443910.0000000003291000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs HvAnUIF17C.exe
Source: HvAnUIF17C.exe	Binary or memory string: OriginalFilename vs HvAnUIF17C.exe
Source: HvAnUIF17C.exe, 00000004.00000002.509373688.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs HvAnUIF17C.exe
Source: HvAnUIF17C.exe, 00000004.00000002.509889737.00000000014F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs HvAnUIF17C.exe
Source: HvAnUIF17C.exe	Binary or memory string: OriginalFilenameICustomPropertyProviderPr.exeF vs HvAnUIF17C.exe

Source: HvAnUIF17C.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HvAnUIF17C.exe	Virustotal: Detection: 35%
Source: HvAnUIF17C.exe	ReversingLabs: Detection: 50%

Source: HvAnUIF17C.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HvAnUIF17C.exe "C:\Users\user\Desktop\HvAnUIF17C.exe"
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process created: C:\Users\user\Desktop\HvAnUIF17C.exe C:\Users\user\Desktop\HvAnUIF17C.exe
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process created: C:\Users\user\Desktop\HvAnUIF17C.exe C:\Users\user\Desktop\HvAnUIF17C.exe	Jump to behavior

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HvAnUIF17C.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: HvAnUIF17C.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: HvAnUIF17C.exe, CIS443Homework1___InterfaceFiles/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.HvAnUIF17C.exe.f10000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.HvAnUIF17C.exe.f10000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.HvAnUIF17C.exe.fe0000.13.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.HvAnUIF17C.exe.fe0000.9.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.HvAnUIF17C.exe.400000.0.unpack, ?B???/?2ud95fude2bufffd.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Users\user\Desktop\HvAnUIF17C.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: HvAnUIF17C.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HvAnUIF17C.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: HvAnUIF17C.exe, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.HvAnUIF17C.exe.f10000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.HvAnUIF17C.exe.f10000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.HvAnUIF17C.exe.fe0000.13.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.HvAnUIF17C.exe.fe0000.9.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.HvAnUIF17C.exe.fe0000.7.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.HvAnUIF17C.exe.fe0000.5.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.HvAnUIF17C.exe.fe0000.1.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.HvAnUIF17C.exe.fe0000.11.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.HvAnUIF17C.exe.fe0000.3.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.HvAnUIF17C.exe.fe0000.2.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.HvAnUIF17C.exe.fe0000.1.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.HvAnUIF17C.exe.fe0000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A1B69 push 8BFFFFFFh; retf		4_2_018A1B6F
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Code function: 4_2_018A8F09 push FFFFFF8Bh; iretd		4_2_018A8F0D

Source: initial sample

Static PE information: section name: .text entropy: 7.922642417266635

Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.278554759.000000000333B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278443910.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HvAnUIF17C.exe PID: 5684, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: HvAnUIF17C.exe, 00000000.00000002.278554759.000000000333B000.00000004.00000800.00020000.00000000.sdmp, HvAnUIF17C.exe, 00000000.00000002.278443910.0000000003291000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: HvAnUIF17C.exe, 00000000.00000002.278554759.000000000333B000.00000004.00000800.00020000.00000000.sdmp, HvAnUIF17C.exe, 00000000.00000002.278443910.0000000003291000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\HvAnUIF17C.exe TID: 3536

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Code function: 0_2_077E1515 sldt word ptr [eax]

0_2_077E1515

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: HvAnUIF17C.exe, 00000000.00000002.278443910.0000000003291000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: HvAnUIF17C.exe, 00000000.00000002.278443910.0000000003291000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: HvAnUIF17C.exe, 00000000.00000002.278443910.0000000003291000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: HvAnUIF17C.exe, 00000000.00000002.278443910.0000000003291000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Code function: 4_2_018A6B88 LdrInitializeThunk,

4_2_018A6B88

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 4.2.HvAnUIF17C.exe.400000.0.unpack, u0097?A?ufffd/?ufffd???.cs	Reference to suspicious API methods: ('????U', 'MapVirtualKey@user32.dll')
Source: 4.2.HvAnUIF17C.exe.400000.0.unpack, z?ufffd??/????W.cs	Reference to suspicious API methods: ('??O??', 'GetProcAddress@kernel32'), ('?????', 'LoadLibrary@kernel32.dll')
Source: 4.0.HvAnUIF17C.exe.400000.6.unpack, u0097?A?ufffd/?ufffd???.cs	Reference to suspicious API methods: ('????U', 'MapVirtualKey@user32.dll')
Source: 4.0.HvAnUIF17C.exe.400000.6.unpack, z?ufffd??/????W.cs	Reference to suspicious API methods: ('??O??', 'GetProcAddress@kernel32'), ('?????', 'LoadLibrary@kernel32.dll')
Source: 4.0.HvAnUIF17C.exe.400000.8.unpack, u0097?A?ufffd/?ufffd???.cs	Reference to suspicious API methods: ('????U', 'MapVirtualKey@user32.dll')
Source: 4.0.HvAnUIF17C.exe.400000.8.unpack, z?ufffd??/????W.cs	Reference to suspicious API methods: ('??O??', 'GetProcAddress@kernel32'), ('?????', 'LoadLibrary@kernel32.dll')
Source: 4.0.HvAnUIF17C.exe.400000.4.unpack, u0097?A?ufffd/?ufffd???.cs	Reference to suspicious API methods: ('????U', 'MapVirtualKey@user32.dll')
Source: 4.0.HvAnUIF17C.exe.400000.4.unpack, z?ufffd??/????W.cs	Reference to suspicious API methods: ('??O??', 'GetProcAddress@kernel32'), ('?????', 'LoadLibrary@kernel32.dll')
Source: 4.0.HvAnUIF17C.exe.400000.10.unpack, u0097?A?ufffd/?ufffd???.cs	Reference to suspicious API methods: ('????U', 'MapVirtualKey@user32.dll')
Source: 4.0.HvAnUIF17C.exe.400000.10.unpack, z?ufffd??/????W.cs	Reference to suspicious API methods: ('??O??', 'GetProcAddress@kernel32'), ('?????', 'LoadLibrary@kernel32.dll')
Source: 4.0.HvAnUIF17C.exe.400000.12.unpack, u0097?A?ufffd/?ufffd???.cs	Reference to suspicious API methods: ('????U', 'MapVirtualKey@user32.dll')
Source: 4.0.HvAnUIF17C.exe.400000.12.unpack, z?ufffd??/????W.cs	Reference to suspicious API methods: ('??O??', 'GetProcAddress@kernel32'), ('?????', 'LoadLibrary@kernel32.dll')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Memory written: C:\Users\user\Desktop\HvAnUIF17C.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Process created: C:\Users\user\Desktop\HvAnUIF17C.exe C:\Users\user\Desktop\HvAnUIF17C.exe

Jump to behavior

Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Users\user\Desktop\HvAnUIF17C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Users\user\Desktop\HvAnUIF17C.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HvAnUIF17C.exe PID: 5684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvAnUIF17C.exe PID: 3120, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\HvAnUIF17C.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\HvAnUIF17C.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\HvAnUIF17C.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HvAnUIF17C.exe PID: 5684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvAnUIF17C.exe PID: 3120, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.HvAnUIF17C.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.HvAnUIF17C.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.45d9dc0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.454d1a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HvAnUIF17C.exe.44dff28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HvAnUIF17C.exe PID: 5684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvAnUIF17C.exe PID: 3120, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HvAnUIF17C.exe	36%	Virustotal		Browse
HvAnUIF17C.exe	9%	Metadefender		Browse
HvAnUIF17C.exe	50%	ReversingLabs	ByteCode-MSIL.Spyware.SnakeLogger
HvAnUIF17C.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.HvAnUIF17C.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
4.0.HvAnUIF17C.exe.400000.6.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
4.0.HvAnUIF17C.exe.400000.8.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
4.0.HvAnUIF17C.exe.400000.4.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
4.0.HvAnUIF17C.exe.400000.10.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
4.0.HvAnUIF17C.exe.400000.12.unpack	100%	Avira	TR/ATRAPS.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://checkip.dyndns.org4	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.dyndns.com	193.122.130.0	true	true		unknown
checkip.dyndns.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	HvAnUIF17C.exe, 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, HvAnUIF17C.exe, 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	HvAnUIF17C.exe, 00000004.00000002.511395073.0000000003549000.00000004.00000800.00020000.00000000.sdmp, HvAnUIF17C.exe, 00000004.00000002.511505410.0000000003556000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org4	HvAnUIF17C.exe, 00000004.00000002.511395073.0000000003549000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	HvAnUIF17C.exe, 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, HvAnUIF17C.exe, 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	HvAnUIF17C.exe, 00000004.00000002.511505410.0000000003556000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HvAnUIF17C.exe, 00000004.00000002.511172584.00000000034B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	HvAnUIF17C.exe, 00000000.00000002.282080429.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	652386
Start date and time: 26/06/202209:32:32	2022-06-26 09:32:32 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	HvAnUIF17C.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 2.6% (good quality ratio 0.5%) Quality average: 9.6% Quality standard deviation: 24.8%
HCA Information:	Successful, ratio: 85% Number of executed functions: 53 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:33:48	API Interceptor	1x Sleep call for process: HvAnUIF17C.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.122.130.0	oAE7nqtsNA.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	0OZQi3b0tM.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	ZzO0LX45zz.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	FNK08uYGy6.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	4vQAHpapFz.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	aercUUUX2C.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	CUSTOMER REQUEST.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Import shipment.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	tka30O3OZN.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	ViAKIk7T7X.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	qzzwd4Mg1N.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	4008765678900--98765.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	F96UcEk8Z9.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	t5nmFGhdVA.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	uc2RxH8hO7.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	gsjRXEqpy51bLEm.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	RFQ_5076414.exe	Get hash	malicious	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
checkip.dyndns.com	oAE7nqtsNA.exe	Get hash	malicious	Browse	193.122.130.0
	0OZQi3b0tM.exe	Get hash	malicious	Browse	193.122.130.0
	ZzO0LX45zz.exe	Get hash	malicious	Browse	193.122.130.0
	FNK08uYGy6.exe	Get hash	malicious	Browse	193.122.130.0
	MV CHINALAND.exe	Get hash	malicious	Browse	158.101.44.242
	Import shipment.exe	Get hash	malicious	Browse	132.226.247.73
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	193.122.130.0
	4vQAHpapFz.exe	Get hash	malicious	Browse	193.122.130.0
	SecuriteInfo.com.IL.Trojan.MSILZilla.16190.26221.exe	Get hash	malicious	Browse	193.122.6.168
	gD5LFrPtfc.exe	Get hash	malicious	Browse	132.226.247.73
	aercUUUX2C.exe	Get hash	malicious	Browse	193.122.130.0
	vSgQo7dqYG.exe	Get hash	malicious	Browse	158.101.44.242
	MV CHINALAND.exe	Get hash	malicious	Browse	132.226.8.169
	22017_TIEM2 - RFQ.exe	Get hash	malicious	Browse	158.101.44.242
	CUSTOMER REQUEST.exe	Get hash	malicious	Browse	193.122.130.0
	Import shipment.exe	Get hash	malicious	Browse	193.122.130.0
	854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exe	Get hash	malicious	Browse	193.122.130.0
	tka30O3OZN.exe	Get hash	malicious	Browse	193.122.130.0
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	132.226.247.73
	Docume001.exe	Get hash	malicious	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ORACLE-BMC-31898US	oAE7nqtsNA.exe	Get hash	malicious	Browse	193.122.130.0
	0OZQi3b0tM.exe	Get hash	malicious	Browse	193.122.130.0
	ZzO0LX45zz.exe	Get hash	malicious	Browse	193.122.130.0
	FNK08uYGy6.exe	Get hash	malicious	Browse	193.122.130.0
	MV CHINALAND.exe	Get hash	malicious	Browse	158.101.44.242
	MV SEA EVERGOLD.exe	Get hash	malicious	Browse	193.122.130.0
	4vQAHpapFz.exe	Get hash	malicious	Browse	193.122.130.0
	SecuriteInfo.com.IL.Trojan.MSILZilla.16190.26221.exe	Get hash	malicious	Browse	193.122.6.168
	aercUUUX2C.exe	Get hash	malicious	Browse	193.122.130.0
	vSgQo7dqYG.exe	Get hash	malicious	Browse	158.101.44.242
	22017_TIEM2 - RFQ.exe	Get hash	malicious	Browse	158.101.44.242
	CUSTOMER REQUEST.exe	Get hash	malicious	Browse	193.122.130.0
	Import shipment.exe	Get hash	malicious	Browse	193.122.130.0
	854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exe	Get hash	malicious	Browse	193.122.130.0
	tka30O3OZN.exe	Get hash	malicious	Browse	193.122.130.0
	ViAKIk7T7X.exe	Get hash	malicious	Browse	193.122.130.0
	qzzwd4Mg1N.exe	Get hash	malicious	Browse	193.122.130.0
	4008765678900--98765.exe	Get hash	malicious	Browse	193.122.130.0
	https://wallpaperaccess.com/miami-night	Get hash	malicious	Browse	150.136.25.38
	b8sqHJocuX.exe	Get hash	malicious	Browse	193.122.6.168

Process:	C:\Users\user\Desktop\HvAnUIF17C.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.916901106793155
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	HvAnUIF17C.exe
File size:	720384
MD5:	515bae8e826da0259aea4c4f3f05a654
SHA1:	b17e6b0aecf3c98bf27c6d3c03411007c964a35b
SHA256:	1f446fcfd533aab46514bc919c327c75e9dae84d6086777beeed532cdb787c85
SHA512:	3d4459645525b07d06a346af096b47d499cef495013eb0f8b8df2f750c74892b64cd74ee7c59f30796e0f8fa7f153bc3b174bdbbce83d7d27677350db2960545
SSDEEP:	12288:/xgH2iN1kPRxliW12/vxmScPAnxmy674XKsQBV8rnBFt7Lie+LNU3NayyfRo:K13kPRrh2/5CPAnxMMXRQ/0b0vxU3NaH
TLSH:	79E41299E3A41EAAC08353F91C6CE5442A1BF70E82BCC60AB4F6355AE5723D59063F17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..b..............0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4b1496
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62B71C5A [Sat Jun 25 14:31:54 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
dec eax
push edx
dec eax
inc ecx
xor eax, 45373434h
cmp byte ptr [3534564Eh], dh
xor eax, 4F373751h
push esp
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb1444	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x3e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaf4b4	0xaf600	False	0.9178977525837491	data	7.922642417266635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x3e0	0x400	False	0.3896484375	data	3.1085984086504888	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xb2058	0x384	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4193.122.130.049760802842536 06/26/22-09:34:00.732371	TCP	2842536	ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check	49760	80	192.168.2.4	193.122.130.0

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2022 09:34:00.624166965 CEST	49760	80	192.168.2.4	193.122.130.0
Jun 26, 2022 09:34:00.731515884 CEST	80	49760	193.122.130.0	192.168.2.4
Jun 26, 2022 09:34:00.731792927 CEST	49760	80	192.168.2.4	193.122.130.0
Jun 26, 2022 09:34:00.732371092 CEST	49760	80	192.168.2.4	193.122.130.0
Jun 26, 2022 09:34:00.839612961 CEST	80	49760	193.122.130.0	192.168.2.4
Jun 26, 2022 09:34:00.840661049 CEST	80	49760	193.122.130.0	192.168.2.4
Jun 26, 2022 09:34:00.920098066 CEST	49760	80	192.168.2.4	193.122.130.0
Jun 26, 2022 09:35:05.842036963 CEST	80	49760	193.122.130.0	192.168.2.4
Jun 26, 2022 09:35:05.843590975 CEST	49760	80	192.168.2.4	193.122.130.0
Jun 26, 2022 09:35:40.855221033 CEST	49760	80	192.168.2.4	193.122.130.0
Jun 26, 2022 09:35:40.966523886 CEST	80	49760	193.122.130.0	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2022 09:34:00.512381077 CEST	64454	53	192.168.2.4	8.8.8.8
Jun 26, 2022 09:34:00.530930042 CEST	53	64454	8.8.8.8	192.168.2.4
Jun 26, 2022 09:34:00.549586058 CEST	60506	53	192.168.2.4	8.8.8.8
Jun 26, 2022 09:34:00.566579103 CEST	53	60506	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 26, 2022 09:34:00.512381077 CEST	192.168.2.4	8.8.8.8	0x279	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Jun 26, 2022 09:34:00.549586058 CEST	192.168.2.4	8.8.8.8	0x6bf4	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 26, 2022 09:34:00.530930042 CEST	8.8.8.8	192.168.2.4	0x279	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Jun 26, 2022 09:34:00.530930042 CEST	8.8.8.8	192.168.2.4	0x279	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Jun 26, 2022 09:34:00.530930042 CEST	8.8.8.8	192.168.2.4	0x279	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Jun 26, 2022 09:34:00.530930042 CEST	8.8.8.8	192.168.2.4	0x279	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Jun 26, 2022 09:34:00.530930042 CEST	8.8.8.8	192.168.2.4	0x279	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Jun 26, 2022 09:34:00.530930042 CEST	8.8.8.8	192.168.2.4	0x279	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Jun 26, 2022 09:34:00.566579103 CEST	8.8.8.8	192.168.2.4	0x6bf4	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Jun 26, 2022 09:34:00.566579103 CEST	8.8.8.8	192.168.2.4	0x6bf4	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Jun 26, 2022 09:34:00.566579103 CEST	8.8.8.8	192.168.2.4	0x6bf4	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Jun 26, 2022 09:34:00.566579103 CEST	8.8.8.8	192.168.2.4	0x6bf4	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Jun 26, 2022 09:34:00.566579103 CEST	8.8.8.8	192.168.2.4	0x6bf4	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Jun 26, 2022 09:34:00.566579103 CEST	8.8.8.8	192.168.2.4	0x6bf4	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49760	193.122.130.0	80	C:\Users\user\Desktop\HvAnUIF17C.exe

Timestamp	kBytes transferred	Direction	Data
Jun 26, 2022 09:34:00.732371092 CEST	1139	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jun 26, 2022 09:34:00.840661049 CEST	1139	IN	HTTP/1.1 200 OK Date: Sun, 26 Jun 2022 07:34:00 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 36 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.143.61</body></html>

Target ID:	0
Start time:	09:33:38
Start date:	26/06/2022
Path:	C:\Users\user\Desktop\HvAnUIF17C.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HvAnUIF17C.exe"
Imagebase:	0xf10000
File size:	720384 bytes
MD5 hash:	515BAE8E826DA0259AEA4C4F3F05A654
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.278554759.000000000333B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.279912469.00000000044DF000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.278443910.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	09:33:49
Start date:	26/06/2022
Path:	C:\Users\user\Desktop\HvAnUIF17C.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\HvAnUIF17C.exe
Imagebase:	0xfe0000
File size:	720384 bytes
MD5 hash:	515BAE8E826DA0259AEA4C4F3F05A654
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000000.266393482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.509304253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000000.266790550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000000.266009764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000000.267402332.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	80
Total number of Limit Nodes:	5

Executed Functions

Function 018D9DD0 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018DA016

Memory Dump Source

Source File: 00000000.00000002.278137916.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_HvAnUIF17C.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 156de830da506755f8bd37ce0dbb494e83e253e57a09b7a92f035cdeca2c7a87
Instruction ID: df2c217c3965f043b68c185ce05f071f82fdf9ec8b6f89596931bf2d2d8989b5
Opcode Fuzzy Hash: 156de830da506755f8bd37ce0dbb494e83e253e57a09b7a92f035cdeca2c7a87
Instruction Fuzzy Hash: 19713670A00B059FDB24DF6AD44475ABBF1FF88318F00892DD58AD7A40DB75EA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018D3DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018D5421

Memory Dump Source

Source File: 00000000.00000002.278137916.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_HvAnUIF17C.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9d0b400a0c244bd462c32bb3999bcc5118cf8d4a744fc6f294f06f4beaa96f31
Instruction ID: 382db3d350660f6b8eae632e7db971d93b0b91308489a54b3f1e0094bf610173
Opcode Fuzzy Hash: 9d0b400a0c244bd462c32bb3999bcc5118cf8d4a744fc6f294f06f4beaa96f31
Instruction Fuzzy Hash: 1D41E5B0D04718CFDB24DFA9C884BDDBBB5BF89308F10815AD518AB250DB756945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 018D9D70 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018DBFBE,?,?,?,?,?), ref: 018DC07F

Memory Dump Source

Source File: 00000000.00000002.278137916.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_HvAnUIF17C.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1f13f11452b0ee7fe62a765fc993b5a3ec1e63c93a2dc1d1e5d3d9fe7be0cb3c
Instruction ID: c91808943bf71f17f0ab0bd21c727115adf23cfe29821c274c30371a0ec79ac5
Opcode Fuzzy Hash: 1f13f11452b0ee7fe62a765fc993b5a3ec1e63c93a2dc1d1e5d3d9fe7be0cb3c
Instruction Fuzzy Hash: 0F21E3B5900348AFDB10CFAAD984ADEBBF8EB48324F14841AE914A7310D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018DA230 Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018DA091,00000800,00000000,00000000), ref: 018DA2A2

Memory Dump Source

Source File: 00000000.00000002.278137916.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_HvAnUIF17C.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d986110f780a038cf75a99cdfc25aeb9bbe205ac6c3eb526e62130d98f497e9f
Instruction ID: 3f9c4a941c55e7108173131ba9f18cbd5eea52bce0a62243fbdc67cc7dfe87f0
Opcode Fuzzy Hash: d986110f780a038cf75a99cdfc25aeb9bbe205ac6c3eb526e62130d98f497e9f
Instruction Fuzzy Hash: DC1126B6C003599FDB14CF9AD848ADEFBF4EB89324F14842ED515A7200C376A649CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018D99E8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018DA091,00000800,00000000,00000000), ref: 018DA2A2

Memory Dump Source

Source File: 00000000.00000002.278137916.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_HvAnUIF17C.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: aa0afcf42d7018a3729985eb445e316aea65296bbc58c215ab22a885866c3078
Instruction ID: 46bf2fa2df357f3d6e20be7023efd67cb251db26ffcae259df6d27b27a774651
Opcode Fuzzy Hash: aa0afcf42d7018a3729985eb445e316aea65296bbc58c215ab22a885866c3078
Instruction Fuzzy Hash: D61144B28003189FCB14CF9AD848ADEFBF4EB88324F10842AE519A7200C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018D9FB0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018DA016

Memory Dump Source

Source File: 00000000.00000002.278137916.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_HvAnUIF17C.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ff4545fbe96d62f860e4673b7d91eab519f3479be65514c6ba2888677cd0f2e7
Instruction ID: 1a938aa0ad36e729fd42e39c6b9b34f82170f65061e35211e1274c6c32f65ca1
Opcode Fuzzy Hash: ff4545fbe96d62f860e4673b7d91eab519f3479be65514c6ba2888677cd0f2e7
Instruction Fuzzy Hash: 5B11D2B5C00749CFDB24CF9AD844BDEFBF4AB89324F14851AD519A7600C375A649CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0187D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278022660.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483b8adf9580fbad070653516220b244e50d6babd32b222f38b60f88a55b6a62
Instruction ID: 3490da78ecf5f5e9295d11f832988c550d8a398b6b05a055a93467e6ef947e66
Opcode Fuzzy Hash: 483b8adf9580fbad070653516220b244e50d6babd32b222f38b60f88a55b6a62
Instruction Fuzzy Hash: 042128B1504204DFDB05CF54D9C4B66BB65FF84328F24C669D9098B206C336E946C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0188D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278053502.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_188d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a4539da3466723cdeb8a6064a82ec19fc0f7a5b302341487de474d31a530cc
Instruction ID: 439444504e43ad20c308e0e36d7de6490c5294d49bb525c61dcf1367329e4c76
Opcode Fuzzy Hash: 52a4539da3466723cdeb8a6064a82ec19fc0f7a5b302341487de474d31a530cc
Instruction Fuzzy Hash: D9213771508204DFDB15EFA4D9C4B26BB61FB84368F20CA6DD9498B386C336D947CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0188D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278053502.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_188d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c1540e6d17ea5c20030158145f15080b55038e731a021ec6de7481984fb11c
Instruction ID: 0f6dd7d14c6dee0b9d6d74589a5ace94e3635184748935f180bb326015ae808c
Opcode Fuzzy Hash: 64c1540e6d17ea5c20030158145f15080b55038e731a021ec6de7481984fb11c
Instruction Fuzzy Hash: CF212571504204DFDB01EF94D5C0B26BBA1FB84328F20CA6DD9098B282C336E946CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0187D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278022660.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6e55a4ab5eb979f697d8d29e7311c2f7f882bfa19d016223f37d0021767ff8
Instruction ID: 7a39d2172b8a3be273231cd7a05ecf67e75986c0e2ff556ba1630335275287cf
Opcode Fuzzy Hash: 2e6e55a4ab5eb979f697d8d29e7311c2f7f882bfa19d016223f37d0021767ff8
Instruction Fuzzy Hash: 9A11DC72404280DFCB02CF44D9C0B56BF72FB84324F28C6A9D8094B617C33AE55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0188D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278053502.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_188d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c71907b7ed15bb6a73651dcce162dc4bb009ed38cbefdc19058d3c3c88dcf41
Instruction ID: 34802ca6538f0bb91f9c104e590c1b3f83ac80505563b55a8068458f109eca97
Opcode Fuzzy Hash: 4c71907b7ed15bb6a73651dcce162dc4bb009ed38cbefdc19058d3c3c88dcf41
Instruction Fuzzy Hash: 2111BE75504280DFCB12DF54C5C0B15BBB1FB84324F24C6A9D8498B696C33AE44ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 0188D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278053502.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_188d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c71907b7ed15bb6a73651dcce162dc4bb009ed38cbefdc19058d3c3c88dcf41
Instruction ID: 90c9ab89cc7f931931c655ff264f358c221ed6ed4aafdbf819f14f88c58d978c
Opcode Fuzzy Hash: 4c71907b7ed15bb6a73651dcce162dc4bb009ed38cbefdc19058d3c3c88dcf41
Instruction Fuzzy Hash: D411BE75504280CFDB12DF54D5C4B15BBA1FB84314F24C6A9D8498B696C33AD54BCB61

Uniqueness

Uniqueness Score: -1.00%

Function 0187D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278022660.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198e64b9c0fc3237ee228ffac3f418692f71edf9985b206552bdc60895b98b52
Instruction ID: 453db8feb84008185ad466aa482c2578d2d3ab0efe5e53c933acbd59c7578f8c
Opcode Fuzzy Hash: 198e64b9c0fc3237ee228ffac3f418692f71edf9985b206552bdc60895b98b52
Instruction Fuzzy Hash: BE01F7710083849AE7114E59CD84B66FF98DF813B8F08C65AEE049A246C779D944C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0187D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278022660.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69337cc8953e12e57a0c4e061134e417499858798f79ea88aee1367abfd94090
Instruction ID: ab7164fd3fa0d338561f9f45099e428b5f24ff615b81a8f80470668c4e731cbf
Opcode Fuzzy Hash: 69337cc8953e12e57a0c4e061134e417499858798f79ea88aee1367abfd94090
Instruction Fuzzy Hash: 08F06271404284AAE7118E59CD88B62FF98EF81774F18C55AEE089B286C379D944CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 018DECB8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278137916.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074e82b04e90b2e07cff1e4822cfdfcdb48bbd3afe37b0f355992b8b95342125
Instruction ID: fbf95a79c897cd08ee8bcd09ec900c38cfffe3f7d702f451cdb546d6018fa5ad
Opcode Fuzzy Hash: 074e82b04e90b2e07cff1e4822cfdfcdb48bbd3afe37b0f355992b8b95342125
Instruction Fuzzy Hash: CA12C9F1811746CBE310EF65F99C189BBA1F746328F70D228D2652BAD9D7B8114ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 018DC874 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278137916.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0b946a0f73fe9e84d893758782855c8f6506ee8a403387da7fbc21f3205f72
Instruction ID: 7269bc448edf4f3072792437ec59ead483f6b8bab84abf6378176d8f6d74de22
Opcode Fuzzy Hash: 4c0b946a0f73fe9e84d893758782855c8f6506ee8a403387da7fbc21f3205f72
Instruction Fuzzy Hash: 23A15E36E0071A9FCF05DFB9D8449DEBBB2FF84301B15816AE905EB261DB31AA55CB40

Uniqueness

Uniqueness Score: -1.00%

Function 018DECA8 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278137916.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640045ca027b99c622a5b23a3cb8f1ada68ca52ff13a9946c36541cbb7e638e4
Instruction ID: 281a4548587b83ba64c718b98e5355ffcefc8fd058f94c9190dbb54b85ac3c2f
Opcode Fuzzy Hash: 640045ca027b99c622a5b23a3cb8f1ada68ca52ff13a9946c36541cbb7e638e4
Instruction Fuzzy Hash: EDC129B1811746CAE710EF65F98C199BBB1FB86328F70C328D2616B6D9D7B4144ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 077E1515 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.283419478.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, Offset: 077E0000, based on PE: true

Associated: 00000000.00000002.283450110.00000000077F0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77e0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ecb2bbada0fa197ba3f6ebb65b840d343d8ab1bb8a13cbda03826acdf62af5
Instruction ID: 3331ebcd2be696f2865ee9f8f269afbad99e4bace95d121b7ed4b14a11053a20
Opcode Fuzzy Hash: 27ecb2bbada0fa197ba3f6ebb65b840d343d8ab1bb8a13cbda03826acdf62af5
Instruction Fuzzy Hash: 3951246254E7D18FC7138B789CB26D07FB0AE17224B5E45CBC0C1CF0A3E269995AD762

Uniqueness

Uniqueness Score: -1.00%

Function 00F1AA86 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859476.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.270801685.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce78df237b3a8992cdbcbd0fa366bb7fd97de0b5cbbffafc5ff72cc84acf6f12
Instruction ID: 25937dd1d36d5a3b8ce3fa4bd2eb2dc3e4196d77b29f8a3aa88b95d4e861287e
Opcode Fuzzy Hash: ce78df237b3a8992cdbcbd0fa366bb7fd97de0b5cbbffafc5ff72cc84acf6f12
Instruction Fuzzy Hash: 9601DA7B25206E2D23161D2B9C0ADE7771FF3D6626319436EA464C7541CE21A82A46E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1ACB3 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859476.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.270801685.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbff11a313984514ca3e74b79423793c6d3c4b1c58cfafff5bda6aa9b8589c0
Instruction ID: 1b3fcc1a5b263608617a119ea21e60ce28c884a658aff6e20868ccabc1cbbb25
Opcode Fuzzy Hash: 5cbff11a313984514ca3e74b79423793c6d3c4b1c58cfafff5bda6aa9b8589c0
Instruction Fuzzy Hash: 86F0F97B3950366D730609ABEC06CDF930BB2C89B73064536AA69CB681DF6098170AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1ABBB Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859476.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.270801685.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17b3da307a719ae41495fe04d3e234adab7892b4f984f966fd2978b8f6b1653
Instruction ID: a7f7dbd8b7edcbd4e705570e5e955ee112d1dca211c55c482b2d95f071fd7bf5
Opcode Fuzzy Hash: b17b3da307a719ae41495fe04d3e234adab7892b4f984f966fd2978b8f6b1653
Instruction Fuzzy Hash: 69F0B07B39203E2D73062D1A5D06EF7A30FB3CA21A305527EA569C7642DF61591B05E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B186 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859476.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.270801685.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286e34843c94ac1d62b3d97014096ed1116d8e4c7c11cc4cfb05e8402a665e94
Instruction ID: 20337239d98c28fb05c23587bb78cd8c4621f2edd48e85f811613ea2cc12a90f
Opcode Fuzzy Hash: 286e34843c94ac1d62b3d97014096ed1116d8e4c7c11cc4cfb05e8402a665e94
Instruction Fuzzy Hash: CAF0A2B3808145F5271309779C08CB73D2B56E9BB117B936A7839EB8506EBA8813F560

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B086 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859476.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.270801685.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f5fcfc862a104ba4029f2bc8638bf6334d1baa3923bdafcfbdc46a35f17e39
Instruction ID: e17b5168b6d30faca8fab5ed926dadbfd3e725b4c630903d1f97bb4a2167f0b9
Opcode Fuzzy Hash: f8f5fcfc862a104ba4029f2bc8638bf6334d1baa3923bdafcfbdc46a35f17e39
Instruction Fuzzy Hash: 6A01F7B3544096F8272309679C08C573D2BA2ED7B133B433A78399B595EEB98813E1A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1AF86 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859476.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.270801685.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1474f2b50bc3f320c71d3f2eab81c655f5026dea309a5f3a2ec255acf37b97
Instruction ID: d39b1f93d7ce98fcb7f6690928015cc3b2b5a90080cd893ffbd48f2f34c28e4e
Opcode Fuzzy Hash: bc1474f2b50bc3f320c71d3f2eab81c655f5026dea309a5f3a2ec255acf37b97
Instruction Fuzzy Hash: 2CF0FFA9348191FE4723447BEC2CEC73C1795D97B033D02397C5197443FA9A8E15C950

Uniqueness

Uniqueness Score: -1.00%

Function 00F1AE86 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859476.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.270801685.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bc95c38097d73ddbc0da32f30e895189af898fdc165d265fd7d3702bdecd92
Instruction ID: 2ce3348e2222c9aa7edd32bec7737f31235e9faec7fb72b79c420e80c17b16c5
Opcode Fuzzy Hash: 28bc95c38097d73ddbc0da32f30e895189af898fdc165d265fd7d3702bdecd92
Instruction Fuzzy Hash: B4F0963E398166DE87529C7FFC2CA8F6616E5D197271C4637BE10C7083EA228917C9B0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B2B4 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271859476.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.270801685.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f76355e381a2ea839e7b8fb505e99b4bedc0f948530b5095bcafabcf88b7286
Instruction ID: 1a37ef57d51cb3684e12120ae94c387b2e13d083bb984b026e1ab7c77664a1e5
Opcode Fuzzy Hash: 3f76355e381a2ea839e7b8fb505e99b4bedc0f948530b5095bcafabcf88b7286
Instruction Fuzzy Hash: 6EF05A37A0C205C5230203FB6A0A563925612E36F1037C3200C3EFA8929CAB4813B480

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: HvAnUIF17C.exePID: 3120, Parent PID: 5684COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	58.5%
Total number of Nodes:	65
Total number of Limit Nodes:	1

Executed Functions

Function 018A5587 Relevance: 2.1, APIs: 1, Instructions: 636
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 018A5635

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e866b38eea7d074a7b6a5f303a47a32178e32b07e2798a2368685240c252c580
Instruction ID: 6ec9cae9aa4b18e496951a4d2d82b0d5ab7f859cfbab1d7d502ba06c0bbf984d
Opcode Fuzzy Hash: e866b38eea7d074a7b6a5f303a47a32178e32b07e2798a2368685240c252c580
Instruction Fuzzy Hash: 7962DF74E042688FEB64CF69C884BEDBBB2BB49304F5481A9D508A7355DB749EC1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018A83C9 Relevance: 1.8, APIs: 1, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 018A855B

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 89015fee02d2ec45b1a4e9dd49d3d629af36873d572a6f6592dfd73bcab662af
Instruction ID: eeb9ccd05341cb2545c3f3369d42fb1c6849737b240cce315f78e269e69d2933
Opcode Fuzzy Hash: 89015fee02d2ec45b1a4e9dd49d3d629af36873d572a6f6592dfd73bcab662af
Instruction Fuzzy Hash: 19D1A174E00218CFEB14DFA5D998B9DBBB2FB89304F2081A9D809AB354DB355E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018A6111 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 018A61EC

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1947fb09b70ffc8e75232d6b163f2577325beac7a79090636909d262d643cb36
Instruction ID: abc4dc9ccdc5c5f3ad376f17ef9d1f53b193aeaca71f5e313b2abe0b2dd1d7bd
Opcode Fuzzy Hash: 1947fb09b70ffc8e75232d6b163f2577325beac7a79090636909d262d643cb36
Instruction Fuzzy Hash: 9AD1B074E00218CFEB14DFA5D948B9DBBB2FB89304F2480A9D809AB355DB359E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05AB0498 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05AB0563

Memory Dump Source

Source File: 00000004.00000002.512709311.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ab0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c89aca2429bff9879977053f1512d57b2b877652fde700a7e7b4e3b702fae6ac
Instruction ID: 1298f264ab7360bdfd20ef6a8399d68158cc64da1ec3bbd9f2d8821d4558b286
Opcode Fuzzy Hash: c89aca2429bff9879977053f1512d57b2b877652fde700a7e7b4e3b702fae6ac
Instruction Fuzzy Hash: 41C1B074E00218CFEB14DFA5C958BADBBB2FB89304F2080A9D409AB355DB755E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05AB0040 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05AB010B

Memory Dump Source

Source File: 00000004.00000002.512709311.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ab0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 30fe721916dda0dd3afc8e5f7bcb43297b5941f36698d52c503bcab51e211f17
Instruction ID: ba5372c560f55aa5e5183ffb223a05d7c4af8cc529e3add403914ea12e6ede9c
Opcode Fuzzy Hash: 30fe721916dda0dd3afc8e5f7bcb43297b5941f36698d52c503bcab51e211f17
Instruction Fuzzy Hash: ADC1AF74E002188FEB14DFA5C958BADBBB2FB89304F2080A9D809AB355DB355E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05AB08F0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05AB09BB

Memory Dump Source

Source File: 00000004.00000002.512709311.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ab0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0337b6512d318a966c5536ba19e302d643a9f532526cbd915e436d282e1552ad
Instruction ID: a3ef106afa711e40810dbde1d018b463005530255b5afc0dd57aad782d8be8c0
Opcode Fuzzy Hash: 0337b6512d318a966c5536ba19e302d643a9f532526cbd915e436d282e1552ad
Instruction Fuzzy Hash: FDC1B074E00218CFEB14DFA5C958BADBBB2FB89304F2080A9D809AB355DB355E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FCF3E0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05FCF4AB

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5e2e433344e204f9f256471819f32aade3b589cfa706ed64a31b6cb7ae3d9439
Instruction ID: 52aba8f8611de7353d3406becee3a1f966232b6f659fee9e8c3e426b3ec62a66
Opcode Fuzzy Hash: 5e2e433344e204f9f256471819f32aade3b589cfa706ed64a31b6cb7ae3d9439
Instruction Fuzzy Hash: A6C19F74E002198FDB18DFA5C954BADBBB2FF89304F2081A9D809AB354DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FCEF88 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05FCF053

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3d0ed15dbdaf20c7867543789ec41ea0eb2028c46c575ec470c5b93f3291e94e
Instruction ID: 8b3b56dcf95c8d41ad2a3b4c7eeb8207cac659d43d61d821aa923d9249b417b5
Opcode Fuzzy Hash: 3d0ed15dbdaf20c7867543789ec41ea0eb2028c46c575ec470c5b93f3291e94e
Instruction Fuzzy Hash: E4C19074E002198FDB18DFA5C954BADBBB2FB89304F2080A9D809AB355DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FCEB30 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05FCEBFB

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 14eca5407c38dea51edf7ddf8fa37f3e3e6b745550a083f2af6178c5f9b6363e
Instruction ID: 696efad27c1e3deb9e3ba83837f3672f06dd7eee110db5d30b9c7863ca5953b4
Opcode Fuzzy Hash: 14eca5407c38dea51edf7ddf8fa37f3e3e6b745550a083f2af6178c5f9b6363e
Instruction Fuzzy Hash: A3C1AF74E00219CFEB14DFA5C954BADBBB2FB89304F2080A9D809AB354DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FCE6D8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05FCE7A3

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 141addf576f8ddf46a044c0214e086d3718883075e017cfda422c79008a8d2e9
Instruction ID: fdc978f9a6c3d1d075f3bea563c7b19976499b32139a2f7339ad819dd3af8c19
Opcode Fuzzy Hash: 141addf576f8ddf46a044c0214e086d3718883075e017cfda422c79008a8d2e9
Instruction Fuzzy Hash: 4DC19F74E002198FEB14DFA5C954BADBBB2FB89304F2080A9D809AB355DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FCE280 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05FCE34B

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e807e6da1a923232e457ad011a4089b1c83a4b286385a959e36ef4861a8b507a
Instruction ID: d234ef0f8830a6afb13566fa5214de2fae63935c1be50a658ed1e3de51298ff4
Opcode Fuzzy Hash: e807e6da1a923232e457ad011a4089b1c83a4b286385a959e36ef4861a8b507a
Instruction Fuzzy Hash: 85C1AF74E00218CFDB24DFA5C954BADBBB2FB89304F2081A9D809AB354DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FCF838 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05FCF903

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 68f6f1ff0c6998da8c182f3b7f7ad4b0361368fc103074b5bcb71e03296a5216
Instruction ID: 7742c35d6cf03aa493b9723d680ff3561e0171ae2d1eae3e5449640c24e10965
Opcode Fuzzy Hash: 68f6f1ff0c6998da8c182f3b7f7ad4b0361368fc103074b5bcb71e03296a5216
Instruction Fuzzy Hash: 01C1A074E00219CFDB14DFA5C994BADBBB2FB89304F2080A9D809AB355DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05AB0007 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05AB010B

Memory Dump Source

Source File: 00000004.00000002.512709311.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ab0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 915980049467fc4bc4848722dd7b702646b9ad73529fb6dd7836adcbed1c768f
Instruction ID: d6ac2d4403cd9b88539980f1d3312a6521710bcb1b71c054fee68ed9e44c04a8
Opcode Fuzzy Hash: 915980049467fc4bc4848722dd7b702646b9ad73529fb6dd7836adcbed1c768f
Instruction Fuzzy Hash: 96412770D052488FEB19CFBAD9547DEBBB2BF89300F28C16AC414AB256DB344946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FCF828 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05FCF903

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 656971d218db7a2c75709e847d3d365b2799eae23763de21a2a93112632dc5ff
Instruction ID: d7c965a2211873e0b7455f6166a86d8a1686a00899aed00950e5dc26694035a2
Opcode Fuzzy Hash: 656971d218db7a2c75709e847d3d365b2799eae23763de21a2a93112632dc5ff
Instruction Fuzzy Hash: C541E5B1E002498BDB18DFAAD5546AEFBF2BF89300F20C17DC415AB258DB355945CF44

Uniqueness

Uniqueness Score: -1.00%

Function 05AB08E0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05AB09BB

Memory Dump Source

Source File: 00000004.00000002.512709311.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ab0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2cea312f9dacd1f7f1e5b0915c2d1c4d617c53b34cbdeb9dfdb74f5411535d7c
Instruction ID: 14786e01dfe2618d9d5a93e22187221a13f7fa8f8e7c2fcae1a7e668b289d272
Opcode Fuzzy Hash: 2cea312f9dacd1f7f1e5b0915c2d1c4d617c53b34cbdeb9dfdb74f5411535d7c
Instruction Fuzzy Hash: AD41E2B0E012488BEB18CFAAD554AEEFBF2BF89304F24C12AC415BB259DB345945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05AB048B Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05AB0563

Memory Dump Source

Source File: 00000004.00000002.512709311.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ab0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f097dcc6736ef31f773c3b6cf4da87979b1a273067d66c1e05f44860cad016e4
Instruction ID: 0f67d2a6b4bcf846728f0679a3c9841d7519af9ee09af7b883d5c925e1aacdbf
Opcode Fuzzy Hash: f097dcc6736ef31f773c3b6cf4da87979b1a273067d66c1e05f44860cad016e4
Instruction Fuzzy Hash: 0E41D5B1E01248CBEB18DFAAD554AEEBBF2BF88300F24D129C414BB259DB355946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018AE758 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7178ac6fbe041e9e234d1f03ba561ca849a5517c4baf7bccae9fd2308b93062c
Instruction ID: 6e8a73004a956de82af0c7a76fbece85b6520210c6b336f5a5e5ed0338437572
Opcode Fuzzy Hash: 7178ac6fbe041e9e234d1f03ba561ca849a5517c4baf7bccae9fd2308b93062c
Instruction Fuzzy Hash: 43125534E002188FEB24DFB8C9947ADBBB2EF89304F5084A9C509AB395DB349E45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018A6B88 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48990eb7cc3fea74e71235dbe811d775f4eb8a2a739bc4534a94b444dd42b26a
Instruction ID: daca518669c3d8389d1546a9c043dd752bd1ddc3b2ea1a3c5b201c70ade3d6b7
Opcode Fuzzy Hash: 48990eb7cc3fea74e71235dbe811d775f4eb8a2a739bc4534a94b444dd42b26a
Instruction Fuzzy Hash: 51F1F574E00218CFEB14DFA9C884B9DFBB2BF88304F5581A9D908AB355DB759A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018A7200 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24d6da44a237d69fe76bf3eab6a92714ed0ecb5e78fe52dd262d077589b25ef
Instruction ID: 634d36c36c2842ceefa6ae85c8ecce9c948f318585159ae9d552cc4521b5f897
Opcode Fuzzy Hash: e24d6da44a237d69fe76bf3eab6a92714ed0ecb5e78fe52dd262d077589b25ef
Instruction Fuzzy Hash: 49D1E174E00258CFEB14DFA5D958BADBBB2FF49304F2080A9D809AB355DB356A81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 018A7F68 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3eae3646bbed31a4dcd9b99a89dd12474e50af0ebf026a2db5917a31b8109e7
Instruction ID: 5e98b46902762a7d45989f083a4ad128113af09f4b3fabafb2891b32e6b6a8f0
Opcode Fuzzy Hash: d3eae3646bbed31a4dcd9b99a89dd12474e50af0ebf026a2db5917a31b8109e7
Instruction Fuzzy Hash: 73D1A174E00218CFEB14DFA5D958BADBBB2FB89304F1081A9D809AB354DB355E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018A7B08 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f04d71f99437e780a8136879ad2c6904aa31ea99c05578a391a65e38ce64e1
Instruction ID: 5a55ee3278ca1815ab8f9528d39ce1f6153491c84523fa24392723d595f6f2eb
Opcode Fuzzy Hash: 11f04d71f99437e780a8136879ad2c6904aa31ea99c05578a391a65e38ce64e1
Instruction Fuzzy Hash: F5D1B074E00218CFEB14DFA5D948B9DBBB2FB89304F2081A9D809AB355DB356E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018AFB30 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62dec154c66a3f54666a7f1794e4edee5757066965659aaf6c331626dd63256
Instruction ID: 7467d106e96060309d245e289960b1fa5a680c12ba8f7d9842ccb9cf45781038
Opcode Fuzzy Hash: a62dec154c66a3f54666a7f1794e4edee5757066965659aaf6c331626dd63256
Instruction Fuzzy Hash: E0C1CF74E00218CFEB14DFA5C994B9DBBB2FB89304F2080A9D909AB354DB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018AF280 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4404823edbd2a2db560a4d443e6ac293237ad6bc23000ae5bacf2f4acb5bc355
Instruction ID: fa7d02811448a930442c619586ce2da72ce11002ece9c976b045c238846fa608
Opcode Fuzzy Hash: 4404823edbd2a2db560a4d443e6ac293237ad6bc23000ae5bacf2f4acb5bc355
Instruction Fuzzy Hash: 42C1C074E00218CFEB24DFA5C994B9DBBB2FB89304F2080A9D809AB354DB355E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018AF6D8 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2d51b051b88f82a904cf805cc4f76ee39526437b92787e9baa60e9bcff1a3a
Instruction ID: 78b100d5a4de85c06e87b247dfad65f80c7084f29cbdfc580e9902a21e09078a
Opcode Fuzzy Hash: 0a2d51b051b88f82a904cf805cc4f76ee39526437b92787e9baa60e9bcff1a3a
Instruction Fuzzy Hash: E5C1CF74E002188FEB14DFA5C954BADBBB2FF89304F2080A9D809AB355DB346E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018AEE28 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894c7e8e18927c90be7fa6cf2ddac86ecdde58a6d71a312a647365f62ffd3110
Instruction ID: 87deb95d788713c876219b7d14d8b7a8dc42f03d495ec72a1f27e336089e7f7d
Opcode Fuzzy Hash: 894c7e8e18927c90be7fa6cf2ddac86ecdde58a6d71a312a647365f62ffd3110
Instruction Fuzzy Hash: 35C1BF74E00218CFEB14DFA5C994B9DBBB2FB89304F6080A9D809AB355DB355E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018A76A8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4394da3c05cefac40240bc3de7bcec92150008881c1614a60cf4fa8017947d64
Instruction ID: 11013a13fe67dc39ecbfac3222b16993d0e2e536808af3ce31c7937ff2610973
Opcode Fuzzy Hash: 4394da3c05cefac40240bc3de7bcec92150008881c1614a60cf4fa8017947d64
Instruction Fuzzy Hash: F4D1BF74E00218CFEB14DFA5D958BADBBB2FB89304F2080A9D809AB355DB355E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018A66E8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e72f221d011406cccf4fc6743232614b5c8bc7354b7e9fada44bd7c9def7f8
Instruction ID: 36c56c2d8e5025b1977b4538fbdb04e56840618e48fb28d4fb8bd2a3982c1892
Opcode Fuzzy Hash: c4e72f221d011406cccf4fc6743232614b5c8bc7354b7e9fada44bd7c9def7f8
Instruction Fuzzy Hash: 79A11470D002188FEB10DFA9C588BDDBBB1FF89304F248269D509AB395EB759A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018A66F8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f29e2ecd70d29f9e5991d07965a9eb229c6a38b1d88ab6897df2f642a4dd1c
Instruction ID: 8deb84f2b14035e8a4d8ea2ae0b54482ee2865142f496953aa53f212d9ac9510
Opcode Fuzzy Hash: 22f29e2ecd70d29f9e5991d07965a9eb229c6a38b1d88ab6897df2f642a4dd1c
Instruction Fuzzy Hash: 7EA10270D002188FEB10DFA8C548BEDBBB1FF89304F248269D508AB395EB759A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018A6A3E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f4739b23b9271a94316844ea821dd69dadda546e663a2f5cb4951947dad15e
Instruction ID: 319a7475ed2572a4136697714543b73b12b9a30c16869ea08eb469eed8a96fff
Opcode Fuzzy Hash: 21f4739b23b9271a94316844ea821dd69dadda546e663a2f5cb4951947dad15e
Instruction Fuzzy Hash: DD91F470900218CFEB10DFA8C498BEDBBB1FF49314F248269D509AB395EB759A85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 018A3450 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 018A3506

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: de1dd0b2563bd7991bb6faf44d5637fec5324727b6257321986a1a03d7127ef7
Instruction ID: f719849cffe4dc808ab454bb820d382b0d9090a11de8064c71167f09637a45aa
Opcode Fuzzy Hash: de1dd0b2563bd7991bb6faf44d5637fec5324727b6257321986a1a03d7127ef7
Instruction Fuzzy Hash: CF51EC34435746EFD7207F64F6AD16EBBB1FB5F313745AC00A41A91819EB38528AAF20

Uniqueness

Uniqueness Score: -1.00%

Function 018A3460 Relevance: 1.7, APIs: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 018A3506

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6d022d28c38b5f2d0a66df943ea7fe196fbdc7416038c2b5ed9d0335b1559e0c
Instruction ID: f35768b6fd5d42c4cd864a5539e0712418d1d65ea79cc434cd3ce3fcbffe4786
Opcode Fuzzy Hash: 6d022d28c38b5f2d0a66df943ea7fe196fbdc7416038c2b5ed9d0335b1559e0c
Instruction Fuzzy Hash: 7E51DC30435746EFD7203B64F6AD16EBBB1FB5F313745AC00A11A90808AB39528AAF60

Uniqueness

Uniqueness Score: -1.00%

Function 05ABB988 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05ABBA0F

Memory Dump Source

Source File: 00000004.00000002.512709311.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ab0000_HvAnUIF17C.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6df86d0c7bcc33d8065df71eca17dfa1599de2f046b756509069667693df001e
Instruction ID: ccf27e0c996030e0f5761051dd5c66474fbf7f0c672c1479911427ed2a1cce4d
Opcode Fuzzy Hash: 6df86d0c7bcc33d8065df71eca17dfa1599de2f046b756509069667693df001e
Instruction Fuzzy Hash: A421C2B5D00248AFDB10CFAAD984ADEBBF8FB48324F14841AE915A7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05ABB981 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05ABBA0F

Memory Dump Source

Source File: 00000004.00000002.512709311.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ab0000_HvAnUIF17C.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 74b9a28a47bdc567cfb5bf82ade956b60dbd01417ac6633b21fdf9047b0c60d6
Instruction ID: a2e3d44490480e9b2d7c98d842f3de2cfef498623f15f4082262efd6f6cbfba6
Opcode Fuzzy Hash: 74b9a28a47bdc567cfb5bf82ade956b60dbd01417ac6633b21fdf9047b0c60d6
Instruction Fuzzy Hash: E821E0B5D002489FDB10CFA9D984AEEBBF8FB48324F14841AE954B7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0184D228 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510656223.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_184d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a94e2cb77ac113e6e84754dd5d54033f109f55882d1ece1e9a122d1cb4a06d
Instruction ID: 8841407c60d897e7a148aff772e5f3c1fa954da5f5a56d454e9c25d649317e26
Opcode Fuzzy Hash: 84a94e2cb77ac113e6e84754dd5d54033f109f55882d1ece1e9a122d1cb4a06d
Instruction Fuzzy Hash: 05214871504248DFCF06CF94D9C0B26BB65FB94328F248669ED058B206C736E916CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0184D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510656223.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_184d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735538c041c7a834267379c4b7b675a456e839cabc4e9fe37c474ce0ed31016a
Instruction ID: dfeafe966ccfb432d73b92e803371da90fde5671f82a88aa1efe67990085afdb
Opcode Fuzzy Hash: 735538c041c7a834267379c4b7b675a456e839cabc4e9fe37c474ce0ed31016a
Instruction Fuzzy Hash: BD216771604248DFDB05CF94D9C0F66BF65FBA4328F20C6A9E9098B207C736E946C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0185D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510688045.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_185d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba8bf4c016ed5d3b1331902b43d9662985924c376477e4e109cdbec49318e20
Instruction ID: 34827ebbfa284e9a83ce8ef1b61122677f8742223c2327bd7cb1aee99dbd8850
Opcode Fuzzy Hash: cba8bf4c016ed5d3b1331902b43d9662985924c376477e4e109cdbec49318e20
Instruction Fuzzy Hash: AC212575504204DFDB55CF64D5C4B26BB61FB84368F20CA6DDD098B246C33AD947CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0185D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510688045.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_185d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee6590cd939d95599f25a81707420b80210f11596532cbe32f9b59cff5b5578
Instruction ID: af02eda0c2ccdcf742415eb037ae5e038b1cade5618b95b71caa51093009a990
Opcode Fuzzy Hash: 4ee6590cd939d95599f25a81707420b80210f11596532cbe32f9b59cff5b5578
Instruction Fuzzy Hash: 9F218E755093808FDB02CF24D990B15BF71EB46314F28C6EADC498B697C33A994ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0184D223 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510656223.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_184d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248826f8912ba8bbe6fbbe1c0d6459dbdd0a1cd1aa6958882eedd21e5686885d
Instruction ID: 95190d1d29346589eec8d92e9105cc578ac1485f87d7e3d74647f71fef60acf1
Opcode Fuzzy Hash: 248826f8912ba8bbe6fbbe1c0d6459dbdd0a1cd1aa6958882eedd21e5686885d
Instruction Fuzzy Hash: 3621DF76404284CFCB06CF44D9C0B16BF72FB84320F28C6A9DC044B61AC33AD516CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0184D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510656223.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_184d000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6e55a4ab5eb979f697d8d29e7311c2f7f882bfa19d016223f37d0021767ff8
Instruction ID: f4ccc46e3d9e393164acafe063cd3b4e16a9e1de48c76a67b39c9d9841bce8ec
Opcode Fuzzy Hash: 2e6e55a4ab5eb979f697d8d29e7311c2f7f882bfa19d016223f37d0021767ff8
Instruction Fuzzy Hash: 7D110372504284CFCB12CF44D5C4B56BF71FB94324F24C6A9D8044B617C33AE556CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 018A4AA8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae978cce1417f266ee69d432bdabbc6427895a8a5eed5716be64cac2f0747e3
Instruction ID: 4ae711b86d463e89f258997435c16d7cade16c6cdf7a7e8a3d26f7eff1b5b82a
Opcode Fuzzy Hash: 2ae978cce1417f266ee69d432bdabbc6427895a8a5eed5716be64cac2f0747e3
Instruction Fuzzy Hash: AF52CD74A002288FEB64DF69C884BEDBBB2BF89304F1081E9D509A7354DB759E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC75F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de459c41bd9ca4a1caeef1b83296526489e6e74af449356af372efd9e337d008
Instruction ID: bc87f74bcc1ce4d8355622781f2da574cb6e58b3a61de72d98d97d9390970ec4
Opcode Fuzzy Hash: de459c41bd9ca4a1caeef1b83296526489e6e74af449356af372efd9e337d008
Instruction Fuzzy Hash: D1C1BF74E01218CFEB14DFA5C954BADBBB2FB89304F2080A9D809AB354DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC5BE0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a248a49389a8e81fe5996548e0b14735a4abbb67bb544d27e1db84160e4654
Instruction ID: d064350ede5245e97bbdab7445e7fdef8d423ee17a937008f1984f593364ae2f
Opcode Fuzzy Hash: 45a248a49389a8e81fe5996548e0b14735a4abbb67bb544d27e1db84160e4654
Instruction Fuzzy Hash: D2C19074E00219CFDB18DFA5C954BADBBB2FB89304F2081A9D409AB354DB356E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC41D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2df9c76e220e340b506d2a13b1e73fcec2c8c0e066bfe0f5c7ac8914a1b34d
Instruction ID: 0a740e171d5e20e460b38e45b10fa292b1b7c5ebedc6d55790cd498c35cbe0ae
Opcode Fuzzy Hash: 2b2df9c76e220e340b506d2a13b1e73fcec2c8c0e066bfe0f5c7ac8914a1b34d
Instruction Fuzzy Hash: ACC19074E00219CFEB14DFA5C958BADBBB2FB89304F2081A9D809AB354DB355E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC7198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b9d13e1506becc4684817e29458a7cdac5bf137e9d7fe1292667eef4608e45
Instruction ID: 0af611a1f06f0149117efe2c99ff8976b2010f94288129306a185132d1efd729
Opcode Fuzzy Hash: 99b9d13e1506becc4684817e29458a7cdac5bf137e9d7fe1292667eef4608e45
Instruction Fuzzy Hash: 51C1A074E01218CFDB14DFA5C954BADBBB2FB89304F2081A9D809AB354DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC3D78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a233312db1c6db1ba4f4f0b09fb34c7a7d71f9cadbfd7da99e5e093739a47cc1
Instruction ID: 930bef8694ef21c2435f789f36f9b46441d42b0fa947c6b4d4049881dd41425d
Opcode Fuzzy Hash: a233312db1c6db1ba4f4f0b09fb34c7a7d71f9cadbfd7da99e5e093739a47cc1
Instruction Fuzzy Hash: FBC1A074E00219CFDB14DFA5C958B9DBBB2FB89304F2081A9D809AB354DB355E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC6D40 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2758ae2b32c4dc44af2764bff7481df38fdbfb8642df9653c590db5327873a4
Instruction ID: 6009e9abd109c6f7133a0ebc11147f58a551a1b25921db6ad6e7686f275cff27
Opcode Fuzzy Hash: a2758ae2b32c4dc44af2764bff7481df38fdbfb8642df9653c590db5327873a4
Instruction Fuzzy Hash: 29C1A074E00219CFDB14DFA5C954BADBBB2FB89304F2080A9D809AB354DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC3920 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7913cf77a16027ce861ee29a1ac0c868da739da4d9650eaed2ab413c0aa6b8ea
Instruction ID: 87f73715b4fe9bf81866e59aa6d7be4dcc4cc29cd18c08feb532706145270ff6
Opcode Fuzzy Hash: 7913cf77a16027ce861ee29a1ac0c868da739da4d9650eaed2ab413c0aa6b8ea
Instruction Fuzzy Hash: 5DC1A074E00219CFDB18DFA5C954BADBBB2FB89304F2080A9D409AB355DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC68E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858a9a160e1c0ec90a08f8886124192d21bce43f1a6e2323c85a484498a403a2
Instruction ID: 72d9ebd5262a94951aba2f4d7e6ba2d5cc5fc5697a736f96a3c469467d5ed27e
Opcode Fuzzy Hash: 858a9a160e1c0ec90a08f8886124192d21bce43f1a6e2323c85a484498a403a2
Instruction Fuzzy Hash: 75C1A074E04219CFDB14DFA5C954BADBBB2FB89304F2080A9D409AB354DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC34C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd465ae385796a89e2ad704356d7476b16842d1ded186b63b58193da6bcbefc
Instruction ID: 7e579d44aeb7ffda7273e739cbc697dbe3ec91960518d30a33c7e458ff3a41b2
Opcode Fuzzy Hash: 5fd465ae385796a89e2ad704356d7476b16842d1ded186b63b58193da6bcbefc
Instruction Fuzzy Hash: 0FC19074E04219CFDB14DFA5C954BADBBB2FB89304F2080A9D809AB394DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC6490 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae9d9076d8e799a6e5a25a1066ca85f5b22f4aade90c6d49ac4d8c6e958b23d
Instruction ID: c3e401b5afc826fdf387b3fcc754fccf9082a00aca5889ee494b7564d19f568d
Opcode Fuzzy Hash: 6ae9d9076d8e799a6e5a25a1066ca85f5b22f4aade90c6d49ac4d8c6e958b23d
Instruction Fuzzy Hash: BAC1AF74E042188FDB18DFA5C954BADBBB2FF89304F2081A9D409AB354DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC3070 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b24202006bb5bdc8554ea62f35ce90235d20c35476b903ccb5495177c4c28e
Instruction ID: 954595be6d55bf1f0a45182593c1c44e8bb7603d4aa7a0dec1fb47c5b82fea79
Opcode Fuzzy Hash: 33b24202006bb5bdc8554ea62f35ce90235d20c35476b903ccb5495177c4c28e
Instruction Fuzzy Hash: 78C19074E00219CFDB14DFA5D954BADBBB2FB89304F2080A9D809AB354DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FC6038 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9d26d0848ab45f18291d60dd9236e650c425b7e741136564ad22b05e99b3c8
Instruction ID: 31485d1f8603d1a77ffd60f4b8e7c2853cbf7e1e434b0e1b9e8d78191bb3284c
Opcode Fuzzy Hash: 6c9d26d0848ab45f18291d60dd9236e650c425b7e741136564ad22b05e99b3c8
Instruction Fuzzy Hash: 95C1BF74E042188FDB14DFA5C954BADBBB2FF89304F2080A9D809AB355DB395E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FCC020 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee6fe8002737dcfb6a9786fc87ae404b2c0d1627be690abdf3ac850e3924636
Instruction ID: 480802370005eab5e6f0d647ab565b2bb88c3ff144305058c87a9e71a3703ae4
Opcode Fuzzy Hash: 8ee6fe8002737dcfb6a9786fc87ae404b2c0d1627be690abdf3ac850e3924636
Instruction Fuzzy Hash: 12B1D578E00218CFDB54DFA9D984A9DBBB2FF89314F1181A9D819AB365DB34AD41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 018A50DB Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987687e2985125003931a026c1d1432245f91d1d2802f8599310b0747ce822eb
Instruction ID: a199f110ca3118014b6588e64a10b01897376d7c7db457ee6823b168da1229ae
Opcode Fuzzy Hash: 987687e2985125003931a026c1d1432245f91d1d2802f8599310b0747ce822eb
Instruction Fuzzy Hash: 6EA1BD74A01228CFEB64DF24C998BD9BBB2BB4A305F5085E9D90DA7350DB719E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FCC00F Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.513247312.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5fc0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acd780fa3b4f6f365e96a6921082133810cd1f0d85b34232912305dd9c7f7ed
Instruction ID: dc16582e9eccc087b30a246c7570ec169a3574bc5ce32617a4e0dc93112e3546
Opcode Fuzzy Hash: 7acd780fa3b4f6f365e96a6921082133810cd1f0d85b34232912305dd9c7f7ed
Instruction Fuzzy Hash: B651A4B5E006088FDB08CFAAD584A9DBBF2FF89300F158169D819AB365DB349945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018A52BC Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.510771923.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_18a0000_HvAnUIF17C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63edeebaccafd423b283ff5be4439b29e2bfa173f684db2b8c26eb1e6ffa59bc
Instruction ID: 8a1e7f41611c1be1383eca75b5424ca76abab2714a87152d9d896033008f75c7
Opcode Fuzzy Hash: 63edeebaccafd423b283ff5be4439b29e2bfa173f684db2b8c26eb1e6ffa59bc
Instruction Fuzzy Hash: 5B51BE74A00228CFDB64DF24D998B9AB7B2BB4A305F5085E9D80AA7354DB719E81CF50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HvAnUIF17C.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HvAnUIF17C.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
HvAnUIF17C.exe

Function 018D9DD0 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 018D3DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 018D9D70 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 018DA230 Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Function 018D99E8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 018D9FB0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 018A5587 Relevance: 2.1, APIs: 1, Instructions: 636
libraryCOMMON

Function 018A83C9 Relevance: 1.8, APIs: 1, Instructions: 277
COMMON

Function 018A6111 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Function 05AB0498 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Function 05AB0040 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Function 05AB08F0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Function 05FCF3E0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON