Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bh4BVURVUr.exe

Overview

General Information

Sample Name:bh4BVURVUr.exe
Analysis ID:652392
MD5:146c170d7ad83ed8302a01081326bcdd
SHA1:c5849331066878e36bbab16b9117b5abe043f1de
SHA256:fe8f94b75b067dfa0fb373ea8c05c4c18dbaec41cf83b2de27a02740ad6f43c2
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • bh4BVURVUr.exe (PID: 6944 cmdline: "C:\Users\user\Desktop\bh4BVURVUr.exe" MD5: 146C170D7AD83ED8302A01081326BCDD)
    • bh4BVURVUr.exe (PID: 6364 cmdline: C:\Users\user\Desktop\bh4BVURVUr.exe MD5: 146C170D7AD83ED8302A01081326BCDD)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "yugolog@gthltd.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "yugo@gthltd.buzz"}
SourceRuleDescriptionAuthorStrings
00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x173ac:$x1: $%SMTPDV$
        • 0x173c2:$x2: $#TheHashHere%&
        • 0x1874c:$x3: %FTPDV$
        • 0x18814:$x4: $%TelegramDv$
        • 0x14d0b:$x5: KeyLoggerEventArgs
        • 0x150a1:$x5: KeyLoggerEventArgs
        • 0x187bc:$m1: | Snake Keylogger
        • 0x18874:$m1: | Snake Keylogger
        • 0x189c8:$m1: | Snake Keylogger
        • 0x18aee:$m1: | Snake Keylogger
        • 0x18c48:$m1: | Snake Keylogger
        • 0x18770:$m2: Clipboard Logs ID
        • 0x1897e:$m2: Screenshot Logs ID
        • 0x18a92:$m2: keystroke Logs ID
        • 0x18c7e:$m3: SnakePW
        • 0x18956:$m4: \SnakeKeylogger\
        00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 31 entries
          SourceRuleDescriptionAuthorStrings
          6.0.bh4BVURVUr.exe.400000.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1b2d2:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1a4bb:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x1a902:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1ba83:$a5: \Kometa\User Data\Default\Login Data
          6.0.bh4BVURVUr.exe.400000.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            6.0.bh4BVURVUr.exe.400000.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              6.0.bh4BVURVUr.exe.400000.4.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                6.0.bh4BVURVUr.exe.400000.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 70 entries
                  No Sigma rule has matched
                  Timestamp:192.168.2.5132.226.8.16949772802842536 06/26/22-09:45:10.882218
                  SID:2842536
                  Source Port:49772
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: bh4BVURVUr.exeVirustotal: Detection: 34%Perma Link
                  Source: bh4BVURVUr.exeReversingLabs: Detection: 27%
                  Source: bh4BVURVUr.exeJoe Sandbox ML: detected
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "yugolog@gthltd.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "yugo@gthltd.buzz"}
                  Source: bh4BVURVUr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: bh4BVURVUr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 014763D1h6_2_01476111
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01477507h6_2_014771DA
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01478687h6_2_014783C9
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 0147F539h6_2_0147F280
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01475F70h6_2_01475587
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 0147EC8Ah6_2_0147E758
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 0147F991h6_2_0147F6D8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01476B10h6_2_014766F8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01477967h6_2_014776A8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01477DC7h6_2_01477B08
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 0147FDE9h6_2_0147FB30
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01478227h6_2_01477F68
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 0147F0E1h6_2_0147EE28
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01476B10h6_2_014766E8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 01476B10h6_2_01476A3E
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_01474AA8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 05610741h6_2_05610498
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 056102E9h6_2_05610040
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 4x nop then jmp 05610B99h6_2_056108F0

                  Networking

                  barindex
                  Source: TrafficSnort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.5:49772 -> 132.226.8.169:80
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeDNS query: name: checkip.dyndns.org
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewASN Name: UTMEMUS UTMEMUS
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: bh4BVURVUr.exe, 00000006.00000002.714415764.00000000030E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: bh4BVURVUr.exe, 00000006.00000002.714415764.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: bh4BVURVUr.exe, 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org4
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: bh4BVURVUr.exe, 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: bh4BVURVUr.exe, 00000000.00000002.489757382.0000000001400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: bh4BVURVUr.exe PID: 6364, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: bh4BVURVUr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: bh4BVURVUr.exe PID: 6364, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3AC930_2_00D3AC93
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3B2940_2_00D3B294
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3AA660_2_00D3AA66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3AE660_2_00D3AE66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3B0660_2_00D3B066
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3AB9B0_2_00D3AB9B
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3B1660_2_00D3B166
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 0_2_00D3AF660_2_00D3AF66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3AC936_2_00C3AC93
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3B2946_2_00C3B294
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3AA666_2_00C3AA66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3AE666_2_00C3AE66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3B0666_2_00C3B066
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3AB9B6_2_00C3AB9B
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3B1666_2_00C3B166
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_00C3AF666_2_00C3AF66
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_014761116_2_01476111
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_014771DA6_2_014771DA
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_014783C96_2_014783C9
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147F2806_2_0147F280
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_014755876_2_01475587
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147A45A6_2_0147A45A
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147E7586_2_0147E758
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147F6D86_2_0147F6D8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_014776A86_2_014776A8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01477B086_2_01477B08
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147FB306_2_0147FB30
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01476B886_2_01476B88
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01477F686_2_01477F68
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147EE286_2_0147EE28
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01476B786_2_01476B78
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01474A986_2_01474A98
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01474AA86_2_01474AA8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01472C296_2_01472C29
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147DFD06_2_0147DFD0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0147DFE06_2_0147DFE0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056104986_2_05610498
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056100406_2_05610040
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056143186_2_05614318
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056123986_2_05612398
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05614FB06_2_05614FB0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056149686_2_05614968
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056129E06_2_056129E0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056108F06_2_056108F0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056136786_2_05613678
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056116F86_2_056116F8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056130286_2_05613028
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05611D486_2_05611D48
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05613CC86_2_05613CC8
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056104886_2_05610488
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056100066_2_05610006
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0561430B6_2_0561430B
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056123886_2_05612388
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05614F9F6_2_05614F9F
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_0561495B6_2_0561495B
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056129CF6_2_056129CF
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056108E06_2_056108E0
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056136686_2_05613668
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056116EB6_2_056116EB
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_056130186_2_05613018
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05611D386_2_05611D38
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_05613CB96_2_05613CB9
                  Source: bh4BVURVUr.exeBinary or memory string: OriginalFilename vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.495479175.00000000076F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTweenEngineAPI.dllD vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.495425295.00000000076D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNativeVariant.dll" vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.489757382.0000000001400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000000.00000002.489290455.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSafeFileHan.exeF vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000006.00000002.713389170.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSafeFileHan.exeF vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000006.00000002.712942536.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exe, 00000006.00000002.713498414.00000000010F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exeBinary or memory string: OriginalFilenameSafeFileHan.exeF vs bh4BVURVUr.exe
                  Source: bh4BVURVUr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: bh4BVURVUr.exeVirustotal: Detection: 34%
                  Source: bh4BVURVUr.exeReversingLabs: Detection: 27%
                  Source: bh4BVURVUr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\bh4BVURVUr.exe "C:\Users\user\Desktop\bh4BVURVUr.exe"
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess created: C:\Users\user\Desktop\bh4BVURVUr.exe C:\Users\user\Desktop\bh4BVURVUr.exe
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess created: C:\Users\user\Desktop\bh4BVURVUr.exe C:\Users\user\Desktop\bh4BVURVUr.exeJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bh4BVURVUr.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                  Source: bh4BVURVUr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: bh4BVURVUr.exeString found in binary or memory: $33fe5c32-db6a-4d7a-addc-e1d0d8588fa9
                  Source: bh4BVURVUr.exe, CIS443Homework1___InterfaceFiles/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.0.bh4BVURVUr.exe.d30000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.bh4BVURVUr.exe.d30000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.bh4BVURVUr.exe.c30000.11.unpack, CIS443Homework1___InterfaceFiles/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.bh4BVURVUr.exe.c30000.2.unpack, CIS443Homework1___InterfaceFiles/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, udbb0udc9a???/ufffdR?ufffd?.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: bh4BVURVUr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: bh4BVURVUr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  Source: bh4BVURVUr.exe, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.0.bh4BVURVUr.exe.d30000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.2.bh4BVURVUr.exe.d30000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.11.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.2.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.2.bh4BVURVUr.exe.c30000.1.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.13.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.3.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.5.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.1.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 6.0.bh4BVURVUr.exe.c30000.0.unpack, CIS443Homework1___InterfaceFiles/Form1.cs.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.932077624932354
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: Yara matchFile source: 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTR
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exe TID: 7052Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: bh4BVURVUr.exe, 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeCode function: 6_2_01475587 LdrInitializeThunk,6_2_01475587
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.bh4BVURVUr.exe.400000.12.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.bh4BVURVUr.exe.400000.6.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.bh4BVURVUr.exe.400000.10.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.bh4BVURVUr.exe.400000.4.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.2.bh4BVURVUr.exe.400000.0.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, ?ufffdufffd??/?u07fbufffdu0040?.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 6.0.bh4BVURVUr.exe.400000.8.unpack, W?ufffd??/ufffd?ufffd??.csReference to suspicious API methods: ('?@???', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeMemory written: C:\Users\user\Desktop\bh4BVURVUr.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeProcess created: C:\Users\user\Desktop\bh4BVURVUr.exe C:\Users\user\Desktop\bh4BVURVUr.exeJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Users\user\Desktop\bh4BVURVUr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Users\user\Desktop\bh4BVURVUr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6364, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Source: C:\Users\user\Desktop\bh4BVURVUr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6364, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.bh4BVURVUr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.bh4BVURVUr.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.45e2710.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.4602330.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bh4BVURVUr.exe.457aef0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bh4BVURVUr.exe PID: 6364, type: MEMORYSTR
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts2
                  Command and Scripting Interpreter
                  Path Interception111
                  Process Injection
                  1
                  Masquerading
                  2
                  OS Credential Dumping
                  11
                  Security Software Discovery
                  Remote Services1
                  Email Collection
                  Exfiltration Over Other Network Medium1
                  Encrypted Channel
                  Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Native API
                  Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools
                  1
                  Input Capture
                  1
                  Process Discovery
                  Remote Desktop Protocol1
                  Input Capture
                  Exfiltration Over Bluetooth1
                  Ingress Tool Transfer
                  Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                  Virtualization/Sandbox Evasion
                  Security Account Manager21
                  Virtualization/Sandbox Evasion
                  SMB/Windows Admin Shares11
                  Archive Collected Data
                  Automated Exfiltration2
                  Non-Application Layer Protocol
                  Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection
                  NTDS1
                  Remote System Discovery
                  Distributed Component Object Model2
                  Data from Local System
                  Scheduled Transfer12
                  Application Layer Protocol
                  SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information
                  LSA Secrets1
                  System Network Configuration Discovery
                  SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Obfuscated Files or Information
                  Cached Domain Credentials13
                  System Information Discovery
                  VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                  Software Packing
                  DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  bh4BVURVUr.exe34%VirustotalBrowse
                  bh4BVURVUr.exe28%ReversingLabsByteCode-MSIL.Spyware.SnakeLogger
                  bh4BVURVUr.exe100%Joe Sandbox ML
                  No Antivirus matches
                  SourceDetectionScannerLabelLinkDownload
                  6.0.bh4BVURVUr.exe.400000.12.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.bh4BVURVUr.exe.400000.6.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.bh4BVURVUr.exe.400000.10.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.bh4BVURVUr.exe.400000.4.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.2.bh4BVURVUr.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                  6.0.bh4BVURVUr.exe.400000.8.unpack100%AviraTR/ATRAPS.GenDownload File
                  SourceDetectionScannerLabelLink
                  checkip.dyndns.com0%VirustotalBrowse
                  checkip.dyndns.org0%VirustotalBrowse
                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://checkip.dyndns.org40%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  checkip.dyndns.com
                  132.226.8.169
                  truetrueunknown
                  checkip.dyndns.org
                  unknown
                  unknowntrueunknown
                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/true
                  • URL Reputation: safe
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.fontbureau.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fontbureau.com/designersGbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.com/designers/?bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bThebh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://api.telegram.org/botbh4BVURVUr.exe, 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            high
                            http://www.fontbureau.com/designers?bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.tiro.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://checkip.dyndns.orgbh4BVURVUr.exe, 00000006.00000002.714415764.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designersbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.goodfont.co.krbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comlbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://checkip.dyndns.org4bh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn/cThebh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://fontfabrik.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.founder.com.cn/cnbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://checkip.dyndns.org/qbh4BVURVUr.exe, 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, bh4BVURVUr.exe, 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleasebh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers8bh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.fonts.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.sandoll.co.krbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://checkip.dyndns.combh4BVURVUr.exe, 00000006.00000002.714415764.00000000030E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deDPleasebh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.zhongyicts.com.cnbh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebh4BVURVUr.exe, 00000006.00000002.714240616.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.sakkal.combh4BVURVUr.exe, 00000000.00000002.494970792.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs
                                          IPDomainCountryFlagASNASN NameMalicious
                                          132.226.8.169
                                          checkip.dyndns.comUnited States
                                          16989UTMEMUStrue
                                          IP
                                          192.168.2.1
                                          Joe Sandbox Version:35.0.0 Citrine
                                          Analysis ID:652392
                                          Start date and time: 26/06/202209:43:252022-06-26 09:43:25 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 11m 26s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:bh4BVURVUr.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:19
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HDC Information:
                                          • Successful, ratio: 3.7% (good quality ratio 1.8%)
                                          • Quality average: 30.2%
                                          • Quality standard deviation: 38.2%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 24
                                          • Number of non-executed functions: 9
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                          • Execution Graph export aborted for target bh4BVURVUr.exe, PID 6944 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          TimeTypeDescription
                                          09:45:01API Interceptor1x Sleep call for process: bh4BVURVUr.exe modified
                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          132.226.8.169fleW7NKwt9.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          t40mINaB76.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          MV CHINALAND.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          Docume001.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          Signed_PO_003485940.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          Qlo3Xd8Xt4.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          09009876543456789000000.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          Ouicbvpfj.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          SecuriteInfo.com.W32.AIDetectNet.01.12429.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          INVOICE AND UPDATTED S O A.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          CTDTOMycoF.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          PO_28001.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          SecuriteInfo.com.W32.AIDetectNet.01.10057.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          PO 326217 326214.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          uc2RxH8hO7.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          mltzDybf15.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          Atpeixzs.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          spetsifikatsioon.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          85rc53QGiJ.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          CHIOS LUCK.exeGet hashmaliciousBrowse
                                          • checkip.dyndns.org/
                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          checkip.dyndns.comfleW7NKwt9.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          HvAnUIF17C.exeGet hashmaliciousBrowse
                                          • 193.122.130.0
                                          fao37nt7gY.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          t40mINaB76.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          oAE7nqtsNA.exeGet hashmaliciousBrowse
                                          • 193.122.130.0
                                          0OZQi3b0tM.exeGet hashmaliciousBrowse
                                          • 193.122.130.0
                                          ZzO0LX45zz.exeGet hashmaliciousBrowse
                                          • 193.122.130.0
                                          FNK08uYGy6.exeGet hashmaliciousBrowse
                                          • 193.122.130.0
                                          MV CHINALAND.exeGet hashmaliciousBrowse
                                          • 158.101.44.242
                                          Import shipment.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          MV SEA EVERGOLD.exeGet hashmaliciousBrowse
                                          • 193.122.130.0
                                          4vQAHpapFz.exeGet hashmaliciousBrowse
                                          • 193.122.130.0
                                          SecuriteInfo.com.IL.Trojan.MSILZilla.16190.26221.exeGet hashmaliciousBrowse
                                          • 193.122.6.168
                                          gD5LFrPtfc.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          aercUUUX2C.exeGet hashmaliciousBrowse
                                          • 193.122.130.0
                                          vSgQo7dqYG.exeGet hashmaliciousBrowse
                                          • 158.101.44.242
                                          MV CHINALAND.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          22017_TIEM2 - RFQ.exeGet hashmaliciousBrowse
                                          • 158.101.44.242
                                          CUSTOMER REQUEST.exeGet hashmaliciousBrowse
                                          • 193.122.130.0
                                          Import shipment.exeGet hashmaliciousBrowse
                                          • 193.122.130.0
                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          UTMEMUSfleW7NKwt9.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          fao37nt7gY.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          t40mINaB76.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          Import shipment.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          gD5LFrPtfc.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          MV CHINALAND.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          MV SEA EVERGOLD.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          Docume001.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          MV SEA EVERGOLD.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          m5s2c7eaZv.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          F96UcEk8Z9.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          Signed_PO_003485940.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          Qlo3Xd8Xt4.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          09009876543456789000000.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          Payment Copy.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          PO_28001.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          Payment Copy.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          Ouicbvpfj.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          Shipping Documents.exeGet hashmaliciousBrowse
                                          • 132.226.247.73
                                          SecuriteInfo.com.W32.AIDetectNet.01.12429.exeGet hashmaliciousBrowse
                                          • 132.226.8.169
                                          No context
                                          No context
                                          Process:C:\Users\user\Desktop\bh4BVURVUr.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.9268931202438395
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:bh4BVURVUr.exe
                                          File size:784384
                                          MD5:146c170d7ad83ed8302a01081326bcdd
                                          SHA1:c5849331066878e36bbab16b9117b5abe043f1de
                                          SHA256:fe8f94b75b067dfa0fb373ea8c05c4c18dbaec41cf83b2de27a02740ad6f43c2
                                          SHA512:bee1aff05e0023060f96e7be988a717060af6c81bb301f8b58271855fd7fca60dd80e7a86a9c93fd67a422319dc0cbe48991cc651c99683266e4f7f2a57f8dcc
                                          SSDEEP:12288:PEH2iN1kPRxliW1hzMCuQaW9pXajhYQXzlRWtw7prlmUaO1wtqrU+iEp9esIUTat:o13kPRrhhzNVaGNajhTXRmgr5wtq/XzF
                                          TLSH:FAF412C5E3A45EDAC58383F51CACD5042666F38E45BCC21178BA759FD4723E291A3E0B
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:..b..............0.................. ... ....@.. .......................`............@................................
                                          Icon Hash:00828e8e8686b000
                                          Entrypoint:0x4c0ede
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x62B71B3A [Sat Jun 25 14:27:06 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                          Instruction
                                          jmp dword ptr [00402000h]
                                          dec eax
                                          push edx
                                          dec eax
                                          inc ecx
                                          xor eax, 45373434h
                                          cmp byte ptr [3534564Eh], dh
                                          xor eax, 4F373751h
                                          push esp
                                          inc ecx
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc0e8c0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x3a8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xbeefc0xbf000False0.9247612279123036data7.932077624932354IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xc20000x3a80x400False0.3759765625data2.9336148862162847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xc40000xc0x200False0.041015625data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xc20580x34cdata
                                          DLLImport
                                          mscoree.dll_CorExeMain
                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          192.168.2.5132.226.8.16949772802842536 06/26/22-09:45:10.882218TCP2842536ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check4977280192.168.2.5132.226.8.169
                                          TimestampSource PortDest PortSource IPDest IP
                                          Jun 26, 2022 09:45:10.612282991 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:45:10.881300926 CEST8049772132.226.8.169192.168.2.5
                                          Jun 26, 2022 09:45:10.881459951 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:45:10.882217884 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:45:11.146639109 CEST8049772132.226.8.169192.168.2.5
                                          Jun 26, 2022 09:45:12.152662039 CEST8049772132.226.8.169192.168.2.5
                                          Jun 26, 2022 09:45:12.286751032 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:46:17.151365995 CEST8049772132.226.8.169192.168.2.5
                                          Jun 26, 2022 09:46:17.151546001 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:46:52.177752018 CEST4977280192.168.2.5132.226.8.169
                                          Jun 26, 2022 09:46:52.442231894 CEST8049772132.226.8.169192.168.2.5
                                          TimestampSource PortDest PortSource IPDest IP
                                          Jun 26, 2022 09:45:10.522610903 CEST5393453192.168.2.58.8.8.8
                                          Jun 26, 2022 09:45:10.541312933 CEST53539348.8.8.8192.168.2.5
                                          Jun 26, 2022 09:45:10.566931963 CEST6371253192.168.2.58.8.8.8
                                          Jun 26, 2022 09:45:10.583794117 CEST53637128.8.8.8192.168.2.5
                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jun 26, 2022 09:45:10.522610903 CEST192.168.2.58.8.8.80xac43Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.566931963 CEST192.168.2.58.8.8.80x6219Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.541312933 CEST8.8.8.8192.168.2.50xac43No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                          Jun 26, 2022 09:45:10.583794117 CEST8.8.8.8192.168.2.50x6219No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                          • checkip.dyndns.org
                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.549772132.226.8.16980C:\Users\user\Desktop\bh4BVURVUr.exe
                                          TimestampkBytes transferredDirectionData
                                          Jun 26, 2022 09:45:10.882217884 CEST1166OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jun 26, 2022 09:45:12.152662039 CEST1167INHTTP/1.1 200 OK
                                          Date: Sun, 26 Jun 2022 07:45:11 GMT
                                          Content-Type: text/html
                                          Content-Length: 106
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 36 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.143.61</body></html>


                                          Click to jump to process

                                          Click to jump to process

                                          Click to dive into process behavior distribution

                                          Click to jump to process

                                          Target ID:0
                                          Start time:09:44:42
                                          Start date:26/06/2022
                                          Path:C:\Users\user\Desktop\bh4BVURVUr.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\bh4BVURVUr.exe"
                                          Imagebase:0xd30000
                                          File size:784384 bytes
                                          MD5 hash:146C170D7AD83ED8302A01081326BCDD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.490396689.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.493615011.000000000457A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.491801402.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low

                                          Target ID:6
                                          Start time:09:45:02
                                          Start date:26/06/2022
                                          Path:C:\Users\user\Desktop\bh4BVURVUr.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\bh4BVURVUr.exe
                                          Imagebase:0xc30000
                                          File size:784384 bytes
                                          MD5 hash:146C170D7AD83ED8302A01081326BCDD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.485021040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000002.712878525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.486276914.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.487003315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.487687196.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low

                                          Reset < >
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.489100198.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                            • Associated: 00000000.00000002.489087926.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.489290455.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_d30000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce78df237b3a8992cdbcbd0fa366bb7fd97de0b5cbbffafc5ff72cc84acf6f12
                                            • Instruction ID: d54f84a6f27930272f13ef99fcf7d514fab1f93d48c6fb264ee97dc06a444767
                                            • Opcode Fuzzy Hash: ce78df237b3a8992cdbcbd0fa366bb7fd97de0b5cbbffafc5ff72cc84acf6f12
                                            • Instruction Fuzzy Hash: 2301DA7B25106E2D23161D2B9C0ADEB771FF3D6636319436EA464C7541CE21982A46F1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.489100198.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                            • Associated: 00000000.00000002.489087926.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.489290455.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_d30000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5cbff11a313984514ca3e74b79423793c6d3c4b1c58cfafff5bda6aa9b8589c0
                                            • Instruction ID: 1b3fcc1a5b263608617a119ea21e60ce28c884a658aff6e20868ccabc1cbbb25
                                            • Opcode Fuzzy Hash: 5cbff11a313984514ca3e74b79423793c6d3c4b1c58cfafff5bda6aa9b8589c0
                                            • Instruction Fuzzy Hash: 86F0F97B3950366D730609ABEC06CDF930BB2C89B73064536AA69CB681DF6098170AE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.489100198.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                            • Associated: 00000000.00000002.489087926.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.489290455.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_d30000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b17b3da307a719ae41495fe04d3e234adab7892b4f984f966fd2978b8f6b1653
                                            • Instruction ID: a7f7dbd8b7edcbd4e705570e5e955ee112d1dca211c55c482b2d95f071fd7bf5
                                            • Opcode Fuzzy Hash: b17b3da307a719ae41495fe04d3e234adab7892b4f984f966fd2978b8f6b1653
                                            • Instruction Fuzzy Hash: 69F0B07B39203E2D73062D1A5D06EF7A30FB3CA21A305527EA569C7642DF61591B05E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.489100198.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                            • Associated: 00000000.00000002.489087926.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.489290455.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_d30000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 286e34843c94ac1d62b3d97014096ed1116d8e4c7c11cc4cfb05e8402a665e94
                                            • Instruction ID: 96047237d52ae030ad6feae6e259fab2e6b097eace668d6785526ed21de7830d
                                            • Opcode Fuzzy Hash: 286e34843c94ac1d62b3d97014096ed1116d8e4c7c11cc4cfb05e8402a665e94
                                            • Instruction Fuzzy Hash: 4EF0A2B3808145F5271309779C09CB73D2B56E9BB117B936A7838EB8546EBA8813F560
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.489100198.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                            • Associated: 00000000.00000002.489087926.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.489290455.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_d30000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f8f5fcfc862a104ba4029f2bc8638bf6334d1baa3923bdafcfbdc46a35f17e39
                                            • Instruction ID: 560085d28a96122e2e785a63fb36bdc1d47666b065c0b4846e6b97820fbe8ddc
                                            • Opcode Fuzzy Hash: f8f5fcfc862a104ba4029f2bc8638bf6334d1baa3923bdafcfbdc46a35f17e39
                                            • Instruction Fuzzy Hash: 6D01FCB3544095F8272308675C08C573D1BA2ED7B133B43357839DB591EEB98813E160
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.489100198.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                            • Associated: 00000000.00000002.489087926.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.489290455.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_d30000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc1474f2b50bc3f320c71d3f2eab81c655f5026dea309a5f3a2ec255acf37b97
                                            • Instruction ID: d39b1f93d7ce98fcb7f6690928015cc3b2b5a90080cd893ffbd48f2f34c28e4e
                                            • Opcode Fuzzy Hash: bc1474f2b50bc3f320c71d3f2eab81c655f5026dea309a5f3a2ec255acf37b97
                                            • Instruction Fuzzy Hash: 2CF0FFA9348191FE4723447BEC2CEC73C1795D97B033D02397C5197443FA9A8E15C950
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.489100198.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                            • Associated: 00000000.00000002.489087926.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.489290455.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_d30000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28bc95c38097d73ddbc0da32f30e895189af898fdc165d265fd7d3702bdecd92
                                            • Instruction ID: 2ce3348e2222c9aa7edd32bec7737f31235e9faec7fb72b79c420e80c17b16c5
                                            • Opcode Fuzzy Hash: 28bc95c38097d73ddbc0da32f30e895189af898fdc165d265fd7d3702bdecd92
                                            • Instruction Fuzzy Hash: B4F0963E398166DE87529C7FFC2CA8F6616E5D197271C4637BE10C7083EA228917C9B0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.489100198.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                            • Associated: 00000000.00000002.489087926.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.489290455.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_d30000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f76355e381a2ea839e7b8fb505e99b4bedc0f948530b5095bcafabcf88b7286
                                            • Instruction ID: f9ce8f313adead2acdfdea3e9dd401891cc5768b2c348175dea711250472e45f
                                            • Opcode Fuzzy Hash: 3f76355e381a2ea839e7b8fb505e99b4bedc0f948530b5095bcafabcf88b7286
                                            • Instruction Fuzzy Hash: 70F05A3780C200C5230606FB2A0A562965612E36B1037C3200C7EFB8929CAB4803B480
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:12.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:35.9%
                                            Total number of Nodes:39
                                            Total number of Limit Nodes:1
                                            execution_graph 19809 1475587 19810 14755bf LdrInitializeThunk 19809->19810 19811 14755ba 19809->19811 19812 1475653 19810->19812 19811->19810 19813 1473460 19826 147347c 19813->19826 19814 1473505 KiUserExceptionDispatcher 19829 1476111 19814->19829 19815 1473513 19833 14783c9 19815->19833 19816 1473536 19837 5610040 19816->19837 19841 5610006 19816->19841 19817 1473658 19845 5610488 19817->19845 19849 5610498 19817->19849 19818 147365f 19853 56108e0 19818->19853 19857 56108f0 19818->19857 19819 1473666 19826->19814 19830 1476142 KiUserExceptionDispatcher 19829->19830 19832 14761fe 19830->19832 19832->19815 19834 14783fa 19833->19834 19835 14787df 19834->19835 19836 1478549 KiUserExceptionDispatcher 19834->19836 19835->19816 19836->19834 19838 5610062 KiUserExceptionDispatcher 19837->19838 19840 561011c 19838->19840 19840->19817 19842 561003a KiUserExceptionDispatcher 19841->19842 19844 561011c 19842->19844 19844->19817 19846 5610498 KiUserExceptionDispatcher 19845->19846 19848 5610574 19846->19848 19848->19818 19850 56104ba KiUserExceptionDispatcher 19849->19850 19852 5610574 19850->19852 19852->19818 19854 56108f0 KiUserExceptionDispatcher 19853->19854 19856 56109cc 19854->19856 19856->19819 19858 5610912 KiUserExceptionDispatcher 19857->19858 19860 56109cc 19858->19860 19860->19819 19861 561b988 DuplicateHandle 19862 561ba1e 19861->19862

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 955 1475587-14755b8 956 14755bf-147564c LdrInitializeThunk 955->956 957 14755ba 955->957 958 1475653-147571b 956->958 957->956 965 1475fb4-1475fd3 958->965 966 1475720-147572c 965->966 967 1475fd9-147600e 965->967 969 1475733-1475799 966->969 970 147572e 966->970 974 14757a0-147582d 969->974 975 147579b 969->975 970->969 981 147583f-1475846 974->981 982 147582f-1475836 974->982 975->974 983 147584d-147585a 981->983 984 1475848 981->984 985 147583d 982->985 986 1475838 982->986 987 1475861-1475868 983->987 988 147585c 983->988 984->983 985->983 986->985 989 147586f-14758c6 987->989 990 147586a 987->990 988->987 993 14758cd-14758e4 989->993 994 14758c8 989->994 990->989 995 14758e6-14758ed 993->995 996 14758ef-14758f7 993->996 994->993 997 14758f8-1475902 995->997 996->997 998 1475904 997->998 999 1475909-1475912 997->999 998->999 1000 1475f84-1475f8a 999->1000 1001 1475917-1475923 1000->1001 1002 1475f90-1475faa 1000->1002 1003 1475925 1001->1003 1004 147592a-147592f 1001->1004 1008 1475fb1 1002->1008 1009 1475fac 1002->1009 1003->1004 1006 1475972-1475974 1004->1006 1007 1475931-147593d 1004->1007 1010 147597a-147598e 1006->1010 1011 1475944-1475949 1007->1011 1012 147593f 1007->1012 1008->965 1009->1008 1014 1475994-14759a9 1010->1014 1015 1475f62-1475f6f 1010->1015 1011->1006 1013 147594b-1475958 1011->1013 1012->1011 1016 147595f-1475970 1013->1016 1017 147595a 1013->1017 1018 14759b0-1475a30 1014->1018 1019 14759ab 1014->1019 1020 1475f70-1475f7a 1015->1020 1016->1010 1017->1016 1027 1475a32-1475a58 1018->1027 1028 1475a5a 1018->1028 1019->1018 1021 1475f81 1020->1021 1022 1475f7c 1020->1022 1021->1000 1022->1021 1029 1475a64-1475a78 1027->1029 1028->1029 1031 1475bc1-1475bc6 1029->1031 1032 1475a7e-1475a88 1029->1032 1035 1475c2a-1475c2c 1031->1035 1036 1475bc8-1475be8 1031->1036 1033 1475a8f-1475aa9 1032->1033 1034 1475a8a 1032->1034 1038 1475ac0-1475ac2 1033->1038 1039 1475aab-1475ab5 1033->1039 1034->1033 1037 1475c32-1475c46 1035->1037 1049 1475c12 1036->1049 1050 1475bea-1475c10 1036->1050 1041 1475f5c-1475f5d 1037->1041 1042 1475c4c-1475c56 1037->1042 1040 1475b4c-1475b58 1038->1040 1044 1475ab7 1039->1044 1045 1475abc-1475abf 1039->1045 1051 1475b5f-1475b64 1040->1051 1052 1475b5a 1040->1052 1048 1475f5e-1475f60 1041->1048 1046 1475c5d-1475c77 1042->1046 1047 1475c58 1042->1047 1044->1045 1045->1038 1056 1475c8e-1475c9c 1046->1056 1057 1475c79-1475c83 1046->1057 1047->1046 1048->1020 1053 1475c1c-1475c28 1049->1053 1050->1053 1054 1475b66-1475b73 1051->1054 1055 1475b8b-1475b8d 1051->1055 1052->1051 1053->1037 1058 1475b75 1054->1058 1059 1475b7a-1475b89 1054->1059 1060 1475b93-1475ba1 1055->1060 1063 1475d2c-1475d38 1056->1063 1061 1475c85 1057->1061 1062 1475c8a-1475c8d 1057->1062 1058->1059 1059->1060 1065 1475ac7-1475adc 1060->1065 1066 1475ba7-1475bbc 1060->1066 1061->1062 1062->1056 1067 1475d3f-1475d44 1063->1067 1068 1475d3a 1063->1068 1069 1475ae3-1475b41 1065->1069 1070 1475ade 1065->1070 1066->1048 1071 1475d46-1475d53 1067->1071 1072 1475d6b-1475d6d 1067->1072 1068->1067 1091 1475b43 1069->1091 1092 1475b48-1475b4b 1069->1092 1070->1069 1074 1475d55 1071->1074 1075 1475d5a-1475d69 1071->1075 1073 1475d73-1475d87 1072->1073 1076 1475ca1-1475cb9 1073->1076 1077 1475d8d-1475df9 call 14743f8 * 2 1073->1077 1074->1075 1075->1073 1080 1475cc0-1475d21 1076->1080 1081 1475cbb 1076->1081 1089 1475e02-1475f58 1077->1089 1090 1475dfb-1475dfd 1077->1090 1096 1475d23 1080->1096 1097 1475d28-1475d2b 1080->1097 1081->1080 1093 1475f59-1475f5a 1089->1093 1090->1093 1091->1092 1092->1040 1093->1002 1096->1097 1097->1063
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: fccff6788176dfb2c1aa4e2e3840bc4576bf54874f9f77b125e67d471bc72a31
                                            • Instruction ID: 6385f655300f4fc9bcc30f47a8655231bb963390ebc3b786a1faef53220aabb9
                                            • Opcode Fuzzy Hash: fccff6788176dfb2c1aa4e2e3840bc4576bf54874f9f77b125e67d471bc72a31
                                            • Instruction Fuzzy Hash: C262E0B4E002298FDB64DF69C984BDDBBB2BB88304F1485EAD508AB355D7749E81CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1110 1476111-1476140 1111 1476147-147620c KiUserExceptionDispatcher 1110->1111 1112 1476142 1110->1112 1118 1476212-147622a 1111->1118 1119 147652a-147655c 1111->1119 1112->1111 1122 1476231-147623a 1118->1122 1123 147622c 1118->1123 1124 147651d-1476523 1122->1124 1123->1122 1125 147623f-14762b9 1124->1125 1126 1476529 1124->1126 1131 1476375-14763d0 1125->1131 1132 14762bf-147632d 1125->1132 1126->1119 1143 14763d1-147641f call 14743f8 * 2 1131->1143 1141 1476370-1476373 1132->1141 1142 147632f-147636f 1132->1142 1141->1143 1142->1141 1150 1476425-1476507 1143->1150 1151 1476508-1476513 1143->1151 1150->1151 1153 1476515 1151->1153 1154 147651a 1151->1154 1153->1154 1154->1124
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 014761EC
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: b405a621ba30766b0ecac91d204afdd75dc1d898c110bda750dada82a09c2d85
                                            • Instruction ID: 895fbe449e1562f357b3228b1e4f4ccfd04b37166c7e78651be29c3cf9d4ab99
                                            • Opcode Fuzzy Hash: b405a621ba30766b0ecac91d204afdd75dc1d898c110bda750dada82a09c2d85
                                            • Instruction Fuzzy Hash: C5D1A078E01218CFEB14DFA5D954B9DBBB2FB89304F2081AAD809AB355DB385D81CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1166 14783c9-14783f8 1167 14783ff-14784c2 call 14766f8 call 1476b88 1166->1167 1168 14783fa 1166->1168 1177 14787e0-1478812 1167->1177 1178 14784c8-14784e0 1167->1178 1168->1167 1181 14784e7-14784f0 1178->1181 1182 14784e2 1178->1182 1183 14787d3-14787d9 1181->1183 1182->1181 1184 14784f5-147856f KiUserExceptionDispatcher 1183->1184 1185 14787df 1183->1185 1189 1478575-14785e3 1184->1189 1190 147862b-1478686 1184->1190 1185->1177 1199 1478626-1478629 1189->1199 1200 14785e5-1478625 1189->1200 1201 1478687-14786d5 call 14743f8 * 2 1190->1201 1199->1201 1200->1199 1208 14787be-14787c9 1201->1208 1209 14786db-14787bd 1201->1209 1211 14787d0 1208->1211 1212 14787cb 1208->1212 1209->1208 1211->1183 1212->1211
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 0147855B
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: bef52208018f07490ea16f84ce265d5024fa0159dea30496d20ce7308dbdde9f
                                            • Instruction ID: 6a77b61c483d3de31f38315b59e93bffd7f026a9a552874d6153f386a95331ed
                                            • Opcode Fuzzy Hash: bef52208018f07490ea16f84ce265d5024fa0159dea30496d20ce7308dbdde9f
                                            • Instruction Fuzzy Hash: AAC1A078E01218CFDB14DFA5D984B9DBBB2FB89304F2080AAD809AB355DB395D85CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1279 5610498-56104b8 1280 56104ba 1279->1280 1281 56104bf-561056c KiUserExceptionDispatcher 1279->1281 1280->1281 1286 5610574-5610582 1281->1286 1287 5610588-561059f 1286->1287 1288 561089a-56108cc 1286->1288 1291 56105a1 1287->1291 1292 56105a6-56105af 1287->1292 1291->1292 1293 561088d-5610893 1292->1293 1294 56105b4-561062a 1293->1294 1295 5610899 1293->1295 1300 5610630-561069e 1294->1300 1301 56106e6-5610740 1294->1301 1295->1288 1310 56106e1-56106e4 1300->1310 1311 56106a0-56106e0 1300->1311 1312 5610741-561078f 1301->1312 1310->1312 1311->1310 1317 5610795-5610877 1312->1317 1318 5610878-5610883 1312->1318 1317->1318 1320 5610885 1318->1320 1321 561088a 1318->1321 1320->1321 1321->1293
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05610563
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.715119432.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_5610000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 2d37255208fd774fa21379b5ec3ed4ccfaa7c5fa3d52ec76381d5639e5184e35
                                            • Instruction ID: 9b8e155d585b4325aafce1f74570e64352ad190c42a617713c1efb6309b8de52
                                            • Opcode Fuzzy Hash: 2d37255208fd774fa21379b5ec3ed4ccfaa7c5fa3d52ec76381d5639e5184e35
                                            • Instruction Fuzzy Hash: B8C19F78E01218CFDB54DFA5C944BADBBB2FB89304F6480A9D809AB354DB395E81CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1224 5610040-5610060 1225 5610062 1224->1225 1226 5610067-5610114 KiUserExceptionDispatcher 1224->1226 1225->1226 1232 561011c-561012a 1226->1232 1233 5610130-5610147 1232->1233 1234 5610442-5610474 1232->1234 1237 5610149 1233->1237 1238 561014e-5610157 1233->1238 1237->1238 1239 5610435-561043b 1238->1239 1240 5610441 1239->1240 1241 561015c-56101d2 1239->1241 1240->1234 1246 56101d8-5610246 1241->1246 1247 561028e-56102e8 1241->1247 1256 5610289-561028c 1246->1256 1257 5610248-5610288 1246->1257 1258 56102e9-5610337 1247->1258 1256->1258 1257->1256 1263 5610420-561042b 1258->1263 1264 561033d-561041f 1258->1264 1265 5610432 1263->1265 1266 561042d 1263->1266 1264->1263 1265->1239 1266->1265
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 0561010B
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.715119432.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_5610000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: ce6adfad40a6dd6cbbeb7645657539d7bbad39914d342329d6e066410f26f98c
                                            • Instruction ID: 0cf1b2b98287ce6e411b99506fd1009b5152aa18f9585ca249ec6175997102ea
                                            • Opcode Fuzzy Hash: ce6adfad40a6dd6cbbeb7645657539d7bbad39914d342329d6e066410f26f98c
                                            • Instruction Fuzzy Hash: 37C19078E01218CFDB14DFA5C984BADBBB2FB89304F6481A9D809AB354DB395D81CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1333 56108f0-5610910 1334 5610912 1333->1334 1335 5610917-56109c4 KiUserExceptionDispatcher 1333->1335 1334->1335 1340 56109cc-56109da 1335->1340 1341 56109e0-56109f7 1340->1341 1342 5610cf2-5610d24 1340->1342 1345 56109f9 1341->1345 1346 56109fe-5610a07 1341->1346 1345->1346 1347 5610ce5-5610ceb 1346->1347 1348 5610cf1 1347->1348 1349 5610a0c-5610a82 1347->1349 1348->1342 1354 5610a88-5610af6 1349->1354 1355 5610b3e-5610b98 1349->1355 1364 5610b39-5610b3c 1354->1364 1365 5610af8-5610b38 1354->1365 1366 5610b99-5610be7 1355->1366 1364->1366 1365->1364 1371 5610cd0-5610cdb 1366->1371 1372 5610bed-5610ccf 1366->1372 1373 5610ce2 1371->1373 1374 5610cdd 1371->1374 1372->1371 1373->1347 1374->1373
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 056109BB
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.715119432.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_5610000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: bfb594f1aacf349c49b1b08a5576f1bb689057b6dd13a2bb4639f9fc9cf2c3e7
                                            • Instruction ID: 44db08248c967ade86cbd31128364588cff73874e903c22330116697165738c1
                                            • Opcode Fuzzy Hash: bfb594f1aacf349c49b1b08a5576f1bb689057b6dd13a2bb4639f9fc9cf2c3e7
                                            • Instruction Fuzzy Hash: F0C18F78E01218CFDB14DFA5C954BADBBB2FB89304F6480A9D809AB354DB395E85CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1387 147e758-147e778 1388 147e77f-147e78b 1387->1388 1389 147e77a 1387->1389 1392 147e792-147e7a7 1388->1392 1393 147e78d 1388->1393 1390 147e8ab-147e8b5 1389->1390 1396 147e7ad-147e7b8 1392->1396 1397 147e8bb-147e8fb call 1474268 1392->1397 1393->1390 1400 147e8b6 1396->1400 1401 147e7be-147e7c5 1396->1401 1414 147e902-147e98d call 1474268 call 1474160 1397->1414 1400->1397 1402 147e7c7-147e7de 1401->1402 1403 147e7f2-147e7fd 1401->1403 1413 147e7e4-147e7e7 1402->1413 1402->1414 1408 147e7ff-147e807 1403->1408 1409 147e80a-147e814 1403->1409 1408->1409 1417 147e89e-147e8a3 1409->1417 1418 147e81a-147e824 1409->1418 1413->1400 1419 147e7ed-147e7f0 1413->1419 1448 147e995-147e99b 1414->1448 1449 147e98f-147e993 1414->1449 1417->1390 1418->1400 1425 147e82a-147e846 1418->1425 1419->1402 1419->1403 1430 147e84a-147e84d 1425->1430 1431 147e848 1425->1431 1433 147e854-147e857 1430->1433 1434 147e84f-147e852 1430->1434 1431->1390 1436 147e85a-147e868 1433->1436 1434->1436 1436->1400 1440 147e86a-147e871 1436->1440 1440->1390 1442 147e873-147e879 1440->1442 1442->1400 1443 147e87b-147e880 1442->1443 1443->1400 1445 147e882-147e895 1443->1445 1445->1400 1452 147e897-147e89a 1445->1452 1451 147e9c2-147e9c3 1448->1451 1449->1448 1450 147e99d-147e9a1 1449->1450 1453 147e9c4-147ea00 1450->1453 1454 147e9a3-147e9aa 1450->1454 1452->1442 1455 147e89c 1452->1455 1461 147ea07-147eaac call 14766f8 call 1476b88 1453->1461 1462 147ea02 1453->1462 1456 147e9b3-147e9be 1454->1456 1457 147e9ac-147e9b1 1454->1457 1455->1390 1456->1451 1457->1456 1458 147e9c0 1457->1458 1458->1451 1469 147eab1-147eacb 1461->1469 1462->1461 1471 147ede3-147ee15 1469->1471 1472 147ead1-147eae8 1469->1472 1475 147eaef-147eaf8 1472->1475 1476 147eaea 1472->1476 1477 147edd6-147eddc 1475->1477 1476->1475 1478 147ede2 1477->1478 1479 147eafd-147eb73 1477->1479 1478->1471 1484 147ec2f-147ec89 1479->1484 1485 147eb79-147ebe7 1479->1485 1496 147ec8a-147ecd8 call 14743f8 * 2 1484->1496 1494 147ec2a-147ec2d 1485->1494 1495 147ebe9-147ec29 1485->1495 1494->1496 1495->1494 1503 147edc1-147edcc 1496->1503 1504 147ecde-147edc0 1496->1504 1505 147edd3 1503->1505 1506 147edce 1503->1506 1504->1503 1505->1477 1506->1505
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D03m
                                            • API String ID: 0-3593571635
                                            • Opcode ID: cc903502283acac8afd0d724466d71e92a05f200b506da930f5d6796c5798510
                                            • Instruction ID: cdc2b25475855e14a03253fadfa32c4b9a6c8ad07a2cad2abf3caeb0dbb6b8e5
                                            • Opcode Fuzzy Hash: cc903502283acac8afd0d724466d71e92a05f200b506da930f5d6796c5798510
                                            • Instruction Fuzzy Hash: CC123574E012188FDB14DFA5C9547EEBBB2EF89304F2085AAC409BB3A5DB359D81CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1891 5610006-5610038 1892 5610085-5610114 KiUserExceptionDispatcher 1891->1892 1893 561003a-5610060 1891->1893 1901 561011c-561012a 1892->1901 1896 5610062 1893->1896 1897 5610067-5610082 1893->1897 1896->1897 1897->1892 1902 5610130-5610147 1901->1902 1903 5610442-5610474 1901->1903 1906 5610149 1902->1906 1907 561014e-5610157 1902->1907 1906->1907 1908 5610435-561043b 1907->1908 1909 5610441 1908->1909 1910 561015c-56101d2 1908->1910 1909->1903 1915 56101d8-5610246 1910->1915 1916 561028e-56102e8 1910->1916 1925 5610289-561028c 1915->1925 1926 5610248-5610288 1915->1926 1927 56102e9-5610337 1916->1927 1925->1927 1926->1925 1932 5610420-561042b 1927->1932 1933 561033d-561041f 1927->1933 1934 5610432 1932->1934 1935 561042d 1932->1935 1933->1932 1934->1908 1935->1934
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 0561010B
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.715119432.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_5610000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: d4ba4e4f97ed685a9e4e81744321bde1a957b3c973f54079854ce0d77a493cfb
                                            • Instruction ID: 7d56319afe13f10e99f0e8caec8b59f9d57d1156ca554f09583034bee7bd454f
                                            • Opcode Fuzzy Hash: d4ba4e4f97ed685a9e4e81744321bde1a957b3c973f54079854ce0d77a493cfb
                                            • Instruction Fuzzy Hash: A9410670D052888FDB15CFB6C8547EEBBB2AF8A304F29C17AC404AB255DB395946CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 056109BB
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.715119432.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_5610000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 58f274e7bef928793a97a4ebced9a78de90211a03e2e8baecf1061c79898fc1d
                                            • Instruction ID: eef813d83db210b25cdf70caf39141112757775e5f254c1ef421e424f1bebfa0
                                            • Opcode Fuzzy Hash: 58f274e7bef928793a97a4ebced9a78de90211a03e2e8baecf1061c79898fc1d
                                            • Instruction Fuzzy Hash: 4341E370E012088BEB18DFAAD8546EEBBF6FF88304F24C12AC819BB254DB345945CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 05610563
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.715119432.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_5610000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 72be37a0f85372777c0a3d08b81dc644a36b722e68304bb5c3cd810c9eb7f1e7
                                            • Instruction ID: ee21f26d9b7147a6a9aec1d2cd5a9ec9c50811c978cc376920cb1a047b6178fc
                                            • Opcode Fuzzy Hash: 72be37a0f85372777c0a3d08b81dc644a36b722e68304bb5c3cd810c9eb7f1e7
                                            • Instruction Fuzzy Hash: 1041B370E05248CBEF58DFA6D9546EEBBB6BF89300F24C12AC818BB254DB345946CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7865d2591bd758d74161cc93081a304bf79efec68641ddb6732e968da94ed1dc
                                            • Instruction ID: b2bd8a28cb74c0de2ead7617889ba1c73d3237b81a218cc00929e7af9266a0bb
                                            • Opcode Fuzzy Hash: 7865d2591bd758d74161cc93081a304bf79efec68641ddb6732e968da94ed1dc
                                            • Instruction Fuzzy Hash: 80E1C174E012188FDB54DFA5C994BADBBB2FF89305F1080AAD449A7355DB389D82CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 759101d67250008df7d53e4b815563ae872b8c746870b1b57c2e5a87bc6838bb
                                            • Instruction ID: 472d0b550ef1da8c2c7e688c089ecddd8ca016fc56191fca4c8fb9e8fdb98dcc
                                            • Opcode Fuzzy Hash: 759101d67250008df7d53e4b815563ae872b8c746870b1b57c2e5a87bc6838bb
                                            • Instruction Fuzzy Hash: 48C1A078E012188FDB14DFA5C954BADBBB2FB89304F6080AAD819AB354DB395D85CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bbe1680333c4dca91c418e66cfc07369bcf77f18bf99a0dab6aa7020d21213aa
                                            • Instruction ID: 5a7dc5e289639998c747f9fe0e0bc1ff25ce3a1f1458d8cab2d316e47f7171db
                                            • Opcode Fuzzy Hash: bbe1680333c4dca91c418e66cfc07369bcf77f18bf99a0dab6aa7020d21213aa
                                            • Instruction Fuzzy Hash: 74D1A178E01218CFDB14DFA5D994BADBBB2FB89305F2080AAD809A7355DB385D81CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e1726a564062a75bf7b0673b7ab4a853565b9eae5ebe4a10a3cad938d0ec77e
                                            • Instruction ID: 259e6f442a7ab683ea24e552f30069bf9d21ba1a81d0a4bfacc830739c4fbfdb
                                            • Opcode Fuzzy Hash: 4e1726a564062a75bf7b0673b7ab4a853565b9eae5ebe4a10a3cad938d0ec77e
                                            • Instruction Fuzzy Hash: 59C19178E012188FDB14DFA5C954B9DBBB2FF89304F6080A9D819AB355DB355D85CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8ae29393d5eab5bfd1a7622d50a401b4e4d5bb14ca640e3e33b1807369c2b901
                                            • Instruction ID: 93911b52146ae9bd3c3e4ac6ed99c47a78b47a94f0c80d790ea3125018c37865
                                            • Opcode Fuzzy Hash: 8ae29393d5eab5bfd1a7622d50a401b4e4d5bb14ca640e3e33b1807369c2b901
                                            • Instruction Fuzzy Hash: B2D19178E01218CFDB14DFA5D954B9DBBB2FB89304F2081AAD809AB354DB399D85CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 75b75dccfaf8e6c6257338f5f147c6dbd16576f02248358d0546bb7668eb9db2
                                            • Instruction ID: b8a69af1abf1b6ce730152886af3439db92fc10e9c6e7ebaabe4093e00184dd4
                                            • Opcode Fuzzy Hash: 75b75dccfaf8e6c6257338f5f147c6dbd16576f02248358d0546bb7668eb9db2
                                            • Instruction Fuzzy Hash: C1C19078E012188FDB14DFA5C994B9DBBB2FB89304F6080AAD809BB355DB355E85CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7fe4f0860b5ed1f8bf0216bd4ab1212dd5f923b5ac9350e073a5f4d34623dc7f
                                            • Instruction ID: 228a6f7df914de304f71029aacf4a2a88dcba9a672024a72092613d1de08a25a
                                            • Opcode Fuzzy Hash: 7fe4f0860b5ed1f8bf0216bd4ab1212dd5f923b5ac9350e073a5f4d34623dc7f
                                            • Instruction Fuzzy Hash: 6EC19F78E01218CFDB14DFA5C954BADBBB2FB89304F6080AAD819AB355DB355E85CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb50d8315007f70f3ae7407ece8d4b3d94869ef00818b65c94e27bd63ad42534
                                            • Instruction ID: ba072ef2614308a73c40ee65fbe0eab3f97b6e6386d76118940a9acbb447b51a
                                            • Opcode Fuzzy Hash: fb50d8315007f70f3ae7407ece8d4b3d94869ef00818b65c94e27bd63ad42534
                                            • Instruction Fuzzy Hash: 4DC19278E01218CFEB14DFA5D944B9DBBB2FB89305F5081AAD809A7354DB385E85CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 698238bea43c18e6304d630c2a114a9e67335a4b13e347f6c396facd2eb9c0f5
                                            • Instruction ID: 82c72d24af68e1129ed8183d8ff2a314d56318243cccc37fd34ff16db3f25d1d
                                            • Opcode Fuzzy Hash: 698238bea43c18e6304d630c2a114a9e67335a4b13e347f6c396facd2eb9c0f5
                                            • Instruction Fuzzy Hash: 2FA10470D012088FEB14DFA9C448BDDBBB2FF89304F20866AD509AB3A5DB749984CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bdbb021b1ebf9a4a02ac297736667b456063710b9ff4bb268afee4e111116d0a
                                            • Instruction ID: 4f6c524ced7293075e5faa2460121dfc388c203bf78498a1a923c99401f3f8c6
                                            • Opcode Fuzzy Hash: bdbb021b1ebf9a4a02ac297736667b456063710b9ff4bb268afee4e111116d0a
                                            • Instruction Fuzzy Hash: 78A1F270D01608CFEB14DFA9C548BDDBBB2FF89304F20866AD509AB2A1DB749985CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b99e75a4142ed121066e1f8c4011c684623874c8c04bfb2408521a53a3421e49
                                            • Instruction ID: 6a3487ffa4c975aae6cb9f6364e7549ec6e60b861b5aed943ff5f8720bef8fe9
                                            • Opcode Fuzzy Hash: b99e75a4142ed121066e1f8c4011c684623874c8c04bfb2408521a53a3421e49
                                            • Instruction Fuzzy Hash: 5891F570D01618CFEB14DFA9C488BEDBBB1FF49314F21826AD509AB2A1DB749985CF14
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1519 1473450-147345c 1520 14734b6-14734e2 1519->1520 1521 147345e-147347a 1519->1521 1536 14734e9 1520->1536 1522 1473481-14734b1 1521->1522 1523 147347c 1521->1523 1522->1520 1523->1522 1638 14734ea call 1473994 1536->1638 1639 14734ea call 147392a 1536->1639 1640 14734ea call 1473938 1536->1640 1537 14734f0-14734f7 1539 14734fe-14735d0 call 1474859 KiUserExceptionDispatcher call 1476111 call 14771da call 14776a8 call 1477b08 call 1477f68 call 14783c9 1537->1539 1569 14735d7-14735da 1539->1569 1570 14735e1-14735ef 1569->1570 1573 14735f6 1570->1573 1574 14735fd-1473620 1573->1574 1580 1473627 1574->1580 1581 147362e-1473651 call 147e758 call 147ee28 call 147f280 call 147f6d8 call 147fb30 1580->1581 1610 1473652 call 5610040 1581->1610 1611 1473652 call 5610006 1581->1611 1587 1473658 1612 1473659 call 5610488 1587->1612 1613 1473659 call 5610498 1587->1613 1588 147365f 1614 1473660 call 56108e0 1588->1614 1615 1473660 call 56108f0 1588->1615 1589 1473666 1616 1473667 call 5610d48 1589->1616 1617 1473667 call 5610d38 1589->1617 1590 147366d 1618 147366e call 56116f8 1590->1618 1619 147366e call 56116eb 1590->1619 1591 1473674 1620 1473675 call 5611d48 1591->1620 1621 1473675 call 5611d38 1591->1621 1592 147367b 1622 147367c call 5612388 1592->1622 1623 147367c call 5612398 1592->1623 1593 1473682 1624 1473683 call 56129e0 1593->1624 1625 1473683 call 56129cf 1593->1625 1594 1473689 1626 147368a call 5613028 1594->1626 1627 147368a call 5613018 1594->1627 1595 1473690 1628 1473691 call 5613668 1595->1628 1629 1473691 call 5613678 1595->1629 1596 1473697 1630 1473698 call 5613cb9 1596->1630 1631 1473698 call 5613cc8 1596->1631 1597 147369e 1632 147369f call 5614318 1597->1632 1633 147369f call 561430b 1597->1633 1598 14736a5 1634 14736a6 call 5614968 1598->1634 1635 14736a6 call 561495b 1598->1635 1599 14736ac 1636 14736ad call 5614fb0 1599->1636 1637 14736ad call 5614f9f 1599->1637 1600 14736b3 1601 14736ba 1600->1601 1641 14736bb call 5615628 1601->1641 1642 14736bb call 5615618 1601->1642 1602 14736c1 1643 14736c2 call 561a6a0 1602->1643 1644 14736c2 call 561a690 1602->1644 1645 14736c2 call 561a648 1602->1645 1646 14736c2 call 561a658 1602->1646 1603 14736c8-14736f3 1610->1587 1611->1587 1612->1588 1613->1588 1614->1589 1615->1589 1616->1590 1617->1590 1618->1591 1619->1591 1620->1592 1621->1592 1622->1593 1623->1593 1624->1594 1625->1594 1626->1595 1627->1595 1628->1596 1629->1596 1630->1597 1631->1597 1632->1598 1633->1598 1634->1599 1635->1599 1636->1600 1637->1600 1638->1537 1639->1537 1640->1537 1641->1602 1642->1602 1643->1603 1644->1603 1645->1603 1646->1603
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 01473506
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: fe200de364513b2cf49730d47e68cc5df441eae9f299e0e1b37f6004a6103a22
                                            • Instruction ID: 84ed0b801056fbdb47deaca117b2a2e026bc0f333b3fac53be9d4a0574138133
                                            • Opcode Fuzzy Hash: fe200de364513b2cf49730d47e68cc5df441eae9f299e0e1b37f6004a6103a22
                                            • Instruction Fuzzy Hash: 1851F034633742DFC6547B74A6EC16EBBB2FB4F31BB51AC21A05E91459CB38408ACB21
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1654 1473460-147347a 1655 1473481-14734e9 1654->1655 1656 147347c 1654->1656 1769 14734ea call 1473994 1655->1769 1770 14734ea call 147392a 1655->1770 1771 14734ea call 1473938 1655->1771 1656->1655 1671 14734f0-1473651 call 1474859 KiUserExceptionDispatcher call 1476111 call 14771da call 14776a8 call 1477b08 call 1477f68 call 14783c9 call 147e758 call 147ee28 call 147f280 call 147f6d8 call 147fb30 1741 1473652 call 5610040 1671->1741 1742 1473652 call 5610006 1671->1742 1721 1473658 1743 1473659 call 5610488 1721->1743 1744 1473659 call 5610498 1721->1744 1722 147365f 1745 1473660 call 56108e0 1722->1745 1746 1473660 call 56108f0 1722->1746 1723 1473666 1747 1473667 call 5610d48 1723->1747 1748 1473667 call 5610d38 1723->1748 1724 147366d 1749 147366e call 56116f8 1724->1749 1750 147366e call 56116eb 1724->1750 1725 1473674 1751 1473675 call 5611d48 1725->1751 1752 1473675 call 5611d38 1725->1752 1726 147367b 1753 147367c call 5612388 1726->1753 1754 147367c call 5612398 1726->1754 1727 1473682 1755 1473683 call 56129e0 1727->1755 1756 1473683 call 56129cf 1727->1756 1728 1473689 1757 147368a call 5613028 1728->1757 1758 147368a call 5613018 1728->1758 1729 1473690 1759 1473691 call 5613668 1729->1759 1760 1473691 call 5613678 1729->1760 1730 1473697 1761 1473698 call 5613cb9 1730->1761 1762 1473698 call 5613cc8 1730->1762 1731 147369e 1763 147369f call 5614318 1731->1763 1764 147369f call 561430b 1731->1764 1732 14736a5 1765 14736a6 call 5614968 1732->1765 1766 14736a6 call 561495b 1732->1766 1733 14736ac 1767 14736ad call 5614fb0 1733->1767 1768 14736ad call 5614f9f 1733->1768 1734 14736b3-14736ba 1772 14736bb call 5615628 1734->1772 1773 14736bb call 5615618 1734->1773 1736 14736c1 1774 14736c2 call 561a6a0 1736->1774 1775 14736c2 call 561a690 1736->1775 1776 14736c2 call 561a648 1736->1776 1777 14736c2 call 561a658 1736->1777 1737 14736c8-14736f3 1741->1721 1742->1721 1743->1722 1744->1722 1745->1723 1746->1723 1747->1724 1748->1724 1749->1725 1750->1725 1751->1726 1752->1726 1753->1727 1754->1727 1755->1728 1756->1728 1757->1729 1758->1729 1759->1730 1760->1730 1761->1731 1762->1731 1763->1732 1764->1732 1765->1733 1766->1733 1767->1734 1768->1734 1769->1671 1770->1671 1771->1671 1772->1736 1773->1736 1774->1737 1775->1737 1776->1737 1777->1737
                                            APIs
                                            • KiUserExceptionDispatcher.NTDLL ref: 01473506
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DispatcherExceptionUser
                                            • String ID:
                                            • API String ID: 6842923-0
                                            • Opcode ID: 502d1556e22e6506a8b7adc6428edffba32f7fac01cb6b97cf48a66acd573aab
                                            • Instruction ID: be3b6498d8d80f270676253bd7d9215017f31f6ff9e242db931a80e13974941a
                                            • Opcode Fuzzy Hash: 502d1556e22e6506a8b7adc6428edffba32f7fac01cb6b97cf48a66acd573aab
                                            • Instruction Fuzzy Hash: 3751DE30633742DFD6547B61A6EC16FBBB6FB4F31BB51AC21A15E900498B38408ACB21
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0561BA0F
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.715119432.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_5610000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 451b64958d3cc2e0c9d5c3a78c9752f398abaecd978d1fbc498ffc018533d48e
                                            • Instruction ID: 18688f51e0b1893b43ad1c993415c64fc23c6cfbad5d81d537244bf96eba5b5b
                                            • Opcode Fuzzy Hash: 451b64958d3cc2e0c9d5c3a78c9752f398abaecd978d1fbc498ffc018533d48e
                                            • Instruction Fuzzy Hash: 7421F3B5D002489FDB10CFAAD884AEEFBF8FB48320F14845AE954A3310D374A944CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000006.00000002.713992017.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_1470000_bh4BVURVUr.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2c0968e4f0f3f5372a4a66154a95210deb79964af87bf17f842314e88efa258
                                            • Instruction ID: 83e01ad39d395b82a9668c0103f5a3acdc40377a3a39720c7f1e9a57e14675e6
                                            • Opcode Fuzzy Hash: f2c0968e4f0f3f5372a4a66154a95210deb79964af87bf17f842314e88efa258
                                            • Instruction Fuzzy Hash: 6D52BD74A01228CFDB64DFA5C984BDDBBB2BB89305F1085EAD509AB354DB349E81CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%