Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WLmNdxIHr3

Overview

General Information

Sample Name:WLmNdxIHr3 (renamed file extension from none to exe)
Analysis ID:679200
MD5:ba7863b67930a109864139efe3da478e
SHA1:0a90df33ba078ba54576906d6072a11b8dca5356
SHA256:5cc3602f45772a86c0548e965ce7e57809e2e00ac5f5f100006da37bb79c77cb
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • WLmNdxIHr3.exe (PID: 3360 cmdline: "C:\Users\user\Desktop\WLmNdxIHr3.exe" MD5: BA7863B67930A109864139EFE3DA478E)
    • WLmNdxIHr3.exe (PID: 3448 cmdline: C:\Users\user\Desktop\WLmNdxIHr3.exe MD5: BA7863B67930A109864139EFE3DA478E)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@szlikestechs.com", "Password": "  Logistics@1234", "Host": "us2.smtp.mailhostbox.com"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
WLmNdxIHr3.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
          • 0x69f4e:$a13: get_DnsResolver
          • 0x9e56e:$a13: get_DnsResolver
          • 0xd298e:$a13: get_DnsResolver
          • 0x6873a:$a20: get_LastAccessed
          • 0x9cd5a:$a20: get_LastAccessed
          • 0xd117a:$a20: get_LastAccessed
          • 0x6a8cc:$a27: set_InternalServerPort
          • 0x9eeec:$a27: set_InternalServerPort
          • 0xd330c:$a27: set_InternalServerPort
          • 0x6abe5:$a30: set_GuidMasterKey
          • 0x9f205:$a30: set_GuidMasterKey
          • 0xd3625:$a30: set_GuidMasterKey
          • 0x68856:$a33: get_Clipboard
          • 0x9ce76:$a33: get_Clipboard
          • 0xd1296:$a33: get_Clipboard
          • 0x68864:$a34: get_Keyboard
          • 0x9ce84:$a34: get_Keyboard
          • 0xd12a4:$a34: get_Keyboard
          • 0x69b81:$a35: get_ShiftKeyDown
          • 0x9e1a1:$a35: get_ShiftKeyDown
          • 0xd25c1:$a35: get_ShiftKeyDown
          00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32b11:$s10: logins
                • 0x66f31:$s10: logins
                • 0x32578:$s11: credential
                • 0x66998:$s11: credential
                • 0x2eb66:$g1: get_Clipboard
                • 0x62f86:$g1: get_Clipboard
                • 0x2eb74:$g2: get_Keyboard
                • 0x62f94:$g2: get_Keyboard
                • 0x2eb81:$g3: get_Password
                • 0x62fa1:$g3: get_Password
                • 0x2fe81:$g4: get_CtrlKeyDown
                • 0x642a1:$g4: get_CtrlKeyDown
                • 0x2fe91:$g5: get_ShiftKeyDown
                • 0x642b1:$g5: get_ShiftKeyDown
                • 0x2fea2:$g6: get_AltKeyDown
                • 0x642c2:$g6: get_AltKeyDown
                0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
                • 0x3025e:$a13: get_DnsResolver
                • 0x6467e:$a13: get_DnsResolver
                • 0x2ea4a:$a20: get_LastAccessed
                • 0x62e6a:$a20: get_LastAccessed
                • 0x30bdc:$a27: set_InternalServerPort
                • 0x64ffc:$a27: set_InternalServerPort
                • 0x30ef5:$a30: set_GuidMasterKey
                • 0x65315:$a30: set_GuidMasterKey
                • 0x2eb66:$a33: get_Clipboard
                • 0x62f86:$a33: get_Clipboard
                • 0x2eb74:$a34: get_Keyboard
                • 0x62f94:$a34: get_Keyboard
                • 0x2fe91:$a35: get_ShiftKeyDown
                • 0x642b1:$a35: get_ShiftKeyDown
                • 0x2fea2:$a36: get_AltKeyDown
                • 0x642c2:$a36: get_AltKeyDown
                • 0x2eb81:$a37: get_Password
                • 0x62fa1:$a37: get_Password
                • 0x2f62b:$a38: get_PasswordHash
                • 0x63a4b:$a38: get_PasswordHash
                • 0x3065e:$a39: get_DefaultCredentials
                0.2.WLmNdxIHr3.exe.4ee5310.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 20 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: WLmNdxIHr3.exeVirustotal: Detection: 57%Perma Link
                  Source: WLmNdxIHr3.exeMetadefender: Detection: 34%Perma Link
                  Source: WLmNdxIHr3.exeReversingLabs: Detection: 76%
                  Antivirus / Scanner detection for submitted sample
                  Source: WLmNdxIHr3.exeAvira: detected
                  Machine Learning detection for sample
                  Source: WLmNdxIHr3.exeJoe Sandbox ML: detected
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@szlikestechs.com", "Password": " Logistics@1234", "Host": "us2.smtp.mailhostbox.com"}
                  Source: WLmNdxIHr3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: WLmNdxIHr3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: WLmNdxIHr3.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                  Source: global trafficTCP traffic: 192.168.2.7:49785 -> 208.91.199.223:587
                  Source: global trafficTCP traffic: 192.168.2.7:49785 -> 208.91.199.223:587
                  Source: WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                  Source: WLmNdxIHr3.exeString found in binary or memory: http://bit.ly/unCoIY
                  Source: WLmNdxIHr3.exeString found in binary or memory: http://bladecoding.com/lolnotes/leagueofstats.php?name=
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                  Source: WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://roTszh.com
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: WLmNdxIHr3.exeString found in binary or memory: http://www.lolking.net/summoner/
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640531921.0000000002F05000.00000004.00000800.00020000.00000000.sdmp, WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://JUpEVaHhlws.net
                  Source: WLmNdxIHr3.exeString found in binary or memory: https://github.com/high6/LoLNotes
                  Source: WLmNdxIHr3.exeString found in binary or memory: https://raw.github.com/bladecoding/LoLNotes/master/General.txtO
                  Source: WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: WLmNdxIHr3.exe PID: 3360, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: WLmNdxIHr3.exe PID: 3448, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  .NET source code contains very large array initializations
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1D26C42Fu002dD2D6u002d4793u002dA2FBu002dB9044BDA64D3u007d/u00377984E54u002dFB32u002d4CE2u002d814Eu002d6FDA27C58041.csLarge array initialization: .cctor: array initializer size 11608
                  Source: WLmNdxIHr3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: WLmNdxIHr3.exe PID: 3360, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: WLmNdxIHr3.exe PID: 3448, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_02B5F3C84_2_02B5F3C8
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_02B5F0804_2_02B5F080
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_02B5AD204_2_02B5AD20
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_05D6C4604_2_05D6C460
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_05D6B7104_2_05D6B710
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeCode function: 4_2_05D6F1B84_2_05D6F1B8
                  Source: WLmNdxIHr3.exe, 00000000.00000002.415491210.0000000003291000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFroor.dll4 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRHmsuPrlFYrRtkKRzBTjxCXImoGRjazOdERX.exe4 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.416464913.0000000003362000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRHmsuPrlFYrRtkKRzBTjxCXImoGRjazOdERX.exe4 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.439346869.0000000007906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePlates.dll4 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.419515800.0000000004A99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSchedulingClerk.dll. vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000000.366744324.0000000000EA4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTimerCallb.exe2 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000000.00000002.441150858.000000000BE80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSchedulingClerk.dll. vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000004.00000002.635155694.0000000000CF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exe, 00000004.00000000.408725677.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRHmsuPrlFYrRtkKRzBTjxCXImoGRjazOdERX.exe4 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exeBinary or memory string: OriginalFilenameTimerCallb.exe2 vs WLmNdxIHr3.exe
                  Source: WLmNdxIHr3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: WLmNdxIHr3.exeVirustotal: Detection: 57%
                  Source: WLmNdxIHr3.exeMetadefender: Detection: 34%
                  Source: WLmNdxIHr3.exeReversingLabs: Detection: 76%
                  Source: WLmNdxIHr3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\WLmNdxIHr3.exe "C:\Users\user\Desktop\WLmNdxIHr3.exe"
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess created: C:\Users\user\Desktop\WLmNdxIHr3.exe C:\Users\user\Desktop\WLmNdxIHr3.exe
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess created: C:\Users\user\Desktop\WLmNdxIHr3.exe C:\Users\user\Desktop\WLmNdxIHr3.exeJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WLmNdxIHr3.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                  Source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, LoLNotes/Util/Wow.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, LoLNotes/Util/Wow.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: WLmNdxIHr3.exe, LoLNotes/Util/Wow.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: WLmNdxIHr3.exe, LoLNotes/Util/Wow.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: WLmNdxIHr3.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: WLmNdxIHr3.exe, LoLNotes/Gui/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, LoLNotes/Gui/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: WLmNdxIHr3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: WLmNdxIHr3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.793379716498792
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3360, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exe TID: 3180Thread sleep time: -45877s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exe TID: 4212Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exe TID: 2892Thread sleep count: 9741 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWindow / User API: threadDelayed 9741Jump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeThread delayed: delay time: 45877Jump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: WLmNdxIHr3.exe, 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: WLmNdxIHr3.exe, LoLNotes/Util/ProcessMemory.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll'), ('OpenProcess', 'OpenProcess@kernel32.dll')
                  Source: WLmNdxIHr3.exe, LoLNotes/Util/Wow.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, LoLNotes/Util/ProcessMemory.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll'), ('OpenProcess', 'OpenProcess@kernel32.dll')
                  Source: 0.0.WLmNdxIHr3.exe.de0000.0.unpack, LoLNotes/Util/Wow.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll')
                  Source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeMemory written: C:\Users\user\Desktop\WLmNdxIHr3.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeProcess created: C:\Users\user\Desktop\WLmNdxIHr3.exe C:\Users\user\Desktop\WLmNdxIHr3.exeJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Users\user\Desktop\WLmNdxIHr3.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Users\user\Desktop\WLmNdxIHr3.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3360, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3448, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\WLmNdxIHr3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: Yara matchFile source: 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3448, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4ee5310.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4ee5310.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.WLmNdxIHr3.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4e77ed0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.WLmNdxIHr3.exe.4eb0cf0.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3360, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: WLmNdxIHr3.exe PID: 3448, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		Path Interception111
                  Process Injection                  		1
                  Masquerading                  		2
                  OS Credential Dumping                  		1
                  Query Registry                  		Remote Services1
                  Email Collection                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Native API                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Credentials in Registry                  		211
                  Security Software Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares2
                  Data from Local System                  		Automated Exfiltration1
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection                  		NTDS131
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput CaptureScheduled Transfer11
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  Remote System Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                  Software Packing                  		DCSync114
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  WLmNdxIHr3.exe57%VirustotalBrowse
                  WLmNdxIHr3.exe34%MetadefenderBrowse
                  WLmNdxIHr3.exe77%ReversingLabsWin32.Trojan.Leonem
                  WLmNdxIHr3.exe100%AviraTR/AD.AgentTesla.rlukc
                  WLmNdxIHr3.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  4.0.WLmNdxIHr3.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://bladecoding.com/lolnotes/leagueofstats.php?name=0%Avira URL Cloudsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://roTszh.com0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  https://JUpEVaHhlws.net0%Avira URL Cloudsafe
                  http://ocsp.sectigo.com0A0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  us2.smtp.mailhostbox.com
                  		208.91.199.223
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://127.0.0.1:HTTP/1.1WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.apache.org/licenses/LICENSE-2.0WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://bladecoding.com/lolnotes/leagueofstats.php?name=WLmNdxIHr3.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://sectigo.com/CPS0WLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://us2.smtp.mailhostbox.comWLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.lolking.net/summoner/WLmNdxIHr3.exefalse
                                  		high
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwWLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://bit.ly/unCoIYWLmNdxIHr3.exefalse
                                    		high
                                    http://www.tiro.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://raw.github.com/bladecoding/LoLNotes/master/General.txtOWLmNdxIHr3.exefalse
                                      		high
                                      http://www.fontbureau.com/designersWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://github.com/high6/LoLNotesWLmNdxIHr3.exefalse
                                          		high
                                          http://www.typography.netDWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://roTszh.comWLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://DynDns.comDynDNSnamejidpasswordPsi/PsiWLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://JUpEVaHhlws.netWLmNdxIHr3.exe, 00000004.00000002.640531921.0000000002F05000.00000004.00000800.00020000.00000000.sdmp, WLmNdxIHr3.exe, 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8WLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ocsp.sectigo.com0AWLmNdxIHr3.exe, 00000004.00000002.640560502.0000000002F0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fonts.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.sakkal.comWLmNdxIHr3.exe, 00000000.00000002.436103294.0000000007382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  208.91.199.223
                                                  		us2.smtp.mailhostbox.comUnited States
                                                  		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                  General Information

                                                  Joe Sandbox Version:35.0.0 Citrine
                                                  Analysis ID:679200
                                                  Start date and time: 05/08/202211:57:092022-08-05 11:57:09 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 10m 48s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:WLmNdxIHr3 (renamed file extension from none to exe)
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:20
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 40
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.211.4.86
                                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  11:58:55API Interceptor657x Sleep call for process: WLmNdxIHr3.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  208.91.199.223PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                    PO-151.exeGet hashmaliciousBrowse
                                                      ORDER-NO0003.exeGet hashmaliciousBrowse
                                                        WZyXE4GNKW.exeGet hashmaliciousBrowse
                                                          Invoice.exeGet hashmaliciousBrowse
                                                            wOs4Roj1hC.exeGet hashmaliciousBrowse
                                                              Statement.exeGet hashmaliciousBrowse
                                                                Order Inquiry.exeGet hashmaliciousBrowse
                                                                  RpIPCRlGZm.exeGet hashmaliciousBrowse
                                                                    CONTRACT ORDER 0022.docGet hashmaliciousBrowse
                                                                      vRqy8fa25P.exeGet hashmaliciousBrowse
                                                                        XEabtLBUPP.exeGet hashmaliciousBrowse
                                                                          12693906 - Ref. BJ22091.exeGet hashmaliciousBrowse
                                                                            shipping documents.exeGet hashmaliciousBrowse
                                                                              2exmx2jgmHgdwUe.exeGet hashmaliciousBrowse
                                                                                Purchase Order ICI 25 Tons @325.15.exeGet hashmaliciousBrowse
                                                                                  Price Request.exeGet hashmaliciousBrowse
                                                                                    MCR8XBrCma.exeGet hashmaliciousBrowse
                                                                                      PAID PI UN5674.589095, UN567598.DUI EUR 23,000.00.exeGet hashmaliciousBrowse
                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.32239.exeGet hashmaliciousBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          us2.smtp.mailhostbox.comDOC_6000019430_AUGUST2022.EXEGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          Order.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          hpyvq3OqZv.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          Scan_6532291931_00040310003309-Shipment Doc_pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          PO-151.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          PAYMENT ADVICE.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          Scan_77072022_00040310003309-Payment_Advice_pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          s7ejxvI6ZP.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          ORDER-NO0003.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Doc_Requisition Quote_JULY2022.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          RFQ-Prebid Inquiries..exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          Ordem de compra.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          bl drafts.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          MpdjpFWPsD.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          quote WK13641E.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          WZyXE4GNKW.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          Invoice.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          Invoice.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          PUBLIC-DOMAIN-REGISTRYUSDOC_6000019430_AUGUST2022.EXEGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          hpyvq3OqZv.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          D99Wy236LD.exeGet hashmaliciousBrowse
                                                                                          • 111.118.212.38
                                                                                          PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Swift Copy.exeGet hashmaliciousBrowse
                                                                                          • 103.21.58.15
                                                                                          PO-151.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Invoice SIL-EDI-0-2022-392.exeGet hashmaliciousBrowse
                                                                                          • 119.18.49.30
                                                                                          PAYMENT ADVICE.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          IMG_03184.exeGet hashmaliciousBrowse
                                                                                          • 103.21.58.15
                                                                                          PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                          • 111.118.215.251
                                                                                          ORDER-NO0003.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          Doc_Requisition Quote_JULY2022.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          PO from Proform Technologies Inc 15124.pdf.rar.exeGet hashmaliciousBrowse
                                                                                          • 111.118.215.251
                                                                                          RFQ-Prebid Inquiries..exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.25263.exeGet hashmaliciousBrowse
                                                                                          • 103.21.58.130
                                                                                          Payment Copy_Bank Fab.docGet hashmaliciousBrowse
                                                                                          • 103.21.58.130
                                                                                          Bank FAB_ Payment Copy_Pdf.exeGet hashmaliciousBrowse
                                                                                          • 103.21.58.130
                                                                                          n7SttFD3Nc.exeGet hashmaliciousBrowse
                                                                                          • 103.195.185.94
                                                                                          RFQ 0937728266.vbsGet hashmaliciousBrowse
                                                                                          • 111.118.215.251
                                                                                          Ordem de compra.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WLmNdxIHr3.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\WLmNdxIHr3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1308
                                                                                          Entropy (8bit):5.345811588615766
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                                          MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                                          SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                                          SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                                          SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                                          Malicious:true
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.784555726017543
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          File name:WLmNdxIHr3.exe
                                                                                          File size:797696
                                                                                          MD5:ba7863b67930a109864139efe3da478e
                                                                                          SHA1:0a90df33ba078ba54576906d6072a11b8dca5356
                                                                                          SHA256:5cc3602f45772a86c0548e965ce7e57809e2e00ac5f5f100006da37bb79c77cb
                                                                                          SHA512:3cabfffd95d1151b04240caa2bf200c9a53cc3899f85927e3259f53805e2544dcdc4249b855bc4ffb245c1131d30ea48be52392928623ec1d0d4bb654212cc63
                                                                                          SSDEEP:12288:zbv7n02b2UVFdPBGjy1AuFWBVeS5f/QBK7CNhvk0R4pRmCDqHVVAx67WeyqLvLqh:3Gjy1AuBS5c+Y7ipRmb13W4LzEkM
                                                                                          TLSH:5105F12503BCCB4AE9BF47F9F4245581477AA203A54BE74D9F80E0CE3EA37A0D5152A7
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*.b..............0...... .......(... ...@....@.. ....................................@................................

                                                                                          File Icon

                                                                                          Icon Hash:686868e882e479b2

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x4c28da
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x62E02AA7 [Tue Jul 26 17:55:51 2022 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          mov edi, edi
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [ebp-75h], dl
                                                                                          in al, dx
                                                                                          pushad
                                                                                          mov eax, dword ptr [ebp+0Ch]
                                                                                          cmp word ptr [eax], 0002h
                                                                                          jne 00007FAAAD47EF24h
                                                                                          mov ecx, 00003308h
                                                                                          cmp word ptr [eax+02h], cx
                                                                                          jne 00007FAAAD47EF19h
                                                                                          mov dword ptr [eax+04h], 0100007Fh
                                                                                          popad
                                                                                          jmp 00007FAAAD47EF15h
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc28880x4f.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x1ca4.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000xc09100xc0a00False0.86008349894549data7.793379716498792IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0xc40000x1ca40x1e00False0.65078125data6.816247600191881IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0xc60000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountry
                                                                                          RT_ICON0xc41000xf94PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                          RT_GROUP_ICON0xc50a40x14data
                                                                                          RT_VERSION0xc50c80x324data
                                                                                          RT_MANIFEST0xc53fc0x8a3XML 1.0 document, UTF-8 Unicode (with BOM) text

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Aug 5, 2022 11:59:19.720238924 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:19.890372038 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:19.890538931 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:23.267518044 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:23.267951012 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:23.438301086 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:23.438460112 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:23.438792944 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:23.609215975 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:23.659852982 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:23.831017971 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:23.831059933 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:23.831079960 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:23.831099033 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:23.831321955 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:23.834280968 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:23.834434986 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:24.004659891 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:24.004803896 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:24.039912939 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:24.210659027 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:24.258789062 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:24.350205898 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:24.520832062 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:24.522891998 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:24.696552038 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:24.697578907 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:24.875669003 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:24.877111912 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:25.049618959 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:25.050239086 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:25.260646105 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:25.263529062 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:25.264116049 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:25.435524940 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:25.436611891 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:25.438678026 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:25.438939095 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:25.439802885 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:25.440084934 CEST49785587192.168.2.7208.91.199.223
                                                                                          Aug 5, 2022 11:59:25.609061003 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:25.610270977 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:25.748856068 CEST58749785208.91.199.223192.168.2.7
                                                                                          Aug 5, 2022 11:59:25.839360952 CEST49785587192.168.2.7208.91.199.223

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Aug 5, 2022 11:59:19.661211014 CEST6461853192.168.2.78.8.8.8
                                                                                          Aug 5, 2022 11:59:19.683432102 CEST53646188.8.8.8192.168.2.7

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                          Aug 5, 2022 11:59:19.661211014 CEST192.168.2.78.8.8.80x9bdbStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                          Aug 5, 2022 11:59:19.683432102 CEST8.8.8.8192.168.2.70x9bdbNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                          Aug 5, 2022 11:59:19.683432102 CEST8.8.8.8192.168.2.70x9bdbNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                          Aug 5, 2022 11:59:19.683432102 CEST8.8.8.8192.168.2.70x9bdbNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                          Aug 5, 2022 11:59:19.683432102 CEST8.8.8.8192.168.2.70x9bdbNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)

                                                                                          SMTP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                          Aug 5, 2022 11:59:23.267518044 CEST58749785208.91.199.223192.168.2.7220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Aug 5, 2022 11:59:23.267951012 CEST49785587192.168.2.7208.91.199.223EHLO 124406
                                                                                          Aug 5, 2022 11:59:23.438460112 CEST58749785208.91.199.223192.168.2.7250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250-DSN
                                                                                          250 CHUNKING
                                                                                          Aug 5, 2022 11:59:23.438792944 CEST49785587192.168.2.7208.91.199.223STARTTLS
                                                                                          Aug 5, 2022 11:59:23.609215975 CEST58749785208.91.199.223192.168.2.7220 2.0.0 Ready to start TLS

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:11:58:39
                                                                                          Start date:05/08/2022
                                                                                          Path:C:\Users\user\Desktop\WLmNdxIHr3.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\WLmNdxIHr3.exe"
                                                                                          Imagebase:0xde0000
                                                                                          File size:797696 bytes
                                                                                          MD5 hash:BA7863B67930A109864139EFE3DA478E
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.418888252.000000000356E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.425147984.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:11:58:58
                                                                                          Start date:05/08/2022
                                                                                          Path:C:\Users\user\Desktop\WLmNdxIHr3.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\Desktop\WLmNdxIHr3.exe
                                                                                          Imagebase:0x830000
                                                                                          File size:797696 bytes
                                                                                          MD5 hash:BA7863B67930A109864139EFE3DA478E
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000004.00000000.408215753.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.637950282.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:15.4%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:100
                                                                                            Total number of Limit Nodes:5
                                                                                            execution_graph 9004 1703df0 9005 1703e02 9004->9005 9006 1703e0e 9005->9006 9010 1704308 9005->9010 9015 17039b4 9006->9015 9008 1703e2d 9011 170432d 9010->9011 9019 17043f8 9011->9019 9023 1704408 9011->9023 9016 17039bf 9015->9016 9031 1707a18 9016->9031 9018 1707be3 9018->9008 9021 170442f 9019->9021 9020 170450c 9020->9020 9021->9020 9027 1703ffc 9021->9027 9025 170442f 9023->9025 9024 170450c 9024->9024 9025->9024 9026 1703ffc CreateActCtxA 9025->9026 9026->9024 9028 1705498 CreateActCtxA 9027->9028 9030 170555b 9028->9030 9032 1707a23 9031->9032 9035 1707a78 9032->9035 9034 1708495 9034->9018 9036 1707a83 9035->9036 9039 1708020 9036->9039 9038 170857a 9038->9034 9040 170802b 9039->9040 9043 1708050 9040->9043 9042 170866a 9042->9038 9044 170805b 9043->9044 9045 1708d7e 9044->9045 9050 170ab38 9044->9050 9046 1708dbc 9045->9046 9054 170cc80 9045->9054 9059 170cc70 9045->9059 9046->9042 9064 170ab70 9050->9064 9067 170ab5f 9050->9067 9051 170ab4e 9051->9045 9055 170cca1 9054->9055 9056 170ccc5 9055->9056 9091 170ce30 9055->9091 9095 170ce1f 9055->9095 9056->9046 9061 170cca1 9059->9061 9060 170ccc5 9060->9046 9061->9060 9062 170ce30 2 API calls 9061->9062 9063 170ce1f 2 API calls 9061->9063 9062->9060 9063->9060 9071 170ac68 9064->9071 9065 170ab7f 9065->9051 9068 170ab70 9067->9068 9070 170ac68 2 API calls 9068->9070 9069 170ab7f 9069->9051 9070->9069 9072 170ac7b 9071->9072 9073 170ac93 9072->9073 9079 170aef0 9072->9079 9083 170aee0 9072->9083 9073->9065 9074 170ac8b 9074->9073 9075 170ae90 GetModuleHandleW 9074->9075 9076 170aebd 9075->9076 9076->9065 9080 170af04 9079->9080 9082 170af29 9080->9082 9087 1709fe0 9080->9087 9082->9074 9084 170aef0 9083->9084 9085 170af29 9084->9085 9086 1709fe0 LoadLibraryExW 9084->9086 9085->9074 9086->9085 9088 170b0d0 LoadLibraryExW 9087->9088 9090 170b149 9088->9090 9090->9082 9092 170ce3d 9091->9092 9094 170ce77 9092->9094 9099 170c2c4 9092->9099 9094->9056 9096 170ce3d 9095->9096 9097 170ce77 9096->9097 9098 170c2c4 2 API calls 9096->9098 9097->9056 9098->9097 9100 170c2cf 9099->9100 9101 170d768 9100->9101 9103 170c3ac 9100->9103 9104 170c3b7 9103->9104 9105 1708050 2 API calls 9104->9105 9108 170d7d7 9105->9108 9106 170d810 9106->9101 9109 170f568 9108->9109 9111 170f5e5 9109->9111 9112 170f599 9109->9112 9110 170f5a5 9110->9106 9111->9106 9112->9110 9113 170f9e8 LoadLibraryExW GetModuleHandleW 9112->9113 9114 170ac68 LoadLibraryExW GetModuleHandleW 9112->9114 9115 170ab38 LoadLibraryExW GetModuleHandleW 9112->9115 9113->9111 9114->9111 9115->9111 9116 170d170 DuplicateHandle 9117 170d206 9116->9117 9118 170fa30 9119 170fa5e 9118->9119 9120 1708050 2 API calls 9119->9120 9121 170fa94 9120->9121 9126 170cf48 GetCurrentProcess 9127 170cfc2 GetCurrentThread 9126->9127 9128 170cfbb 9126->9128 9129 170cff8 9127->9129 9130 170cfff GetCurrentProcess 9127->9130 9128->9127 9129->9130 9133 170d035 9130->9133 9131 170d05d GetCurrentThreadId 9132 170d08e 9131->9132 9133->9131

                                                                                            Executed Functions

                                                                                            Function 0170CF38 Relevance: 6.1, APIs: 4, Instructions: 123threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 0170CFA8
                                                                                            • GetCurrentThread.KERNEL32 ref: 0170CFE5
                                                                                            • GetCurrentProcess.KERNEL32 ref: 0170D022
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0170D07B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.414330987.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1700000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: f0c641dcffe9a2fba6a2d22c62b40a8c937b90ba5a949644c7f897af7679a405
                                                                                            • Instruction ID: 1905c3408cfbcb8a5b32651c6b0beaf413c29b4045911173368be1422e9c7795
                                                                                            • Opcode Fuzzy Hash: f0c641dcffe9a2fba6a2d22c62b40a8c937b90ba5a949644c7f897af7679a405
                                                                                            • Instruction Fuzzy Hash: A25164B4904349CFEB15CFA9C648B9EBBF0BF48304F248469E419A7290D7346885CB65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0170CF48 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 0170CFA8
                                                                                            • GetCurrentThread.KERNEL32 ref: 0170CFE5
                                                                                            • GetCurrentProcess.KERNEL32 ref: 0170D022
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0170D07B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.414330987.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1700000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: b58299312a3cdd3909b0715474871ecb32ec46c9778bc54c7afda8582de321df
                                                                                            • Instruction ID: d69acfcf4a301ffe76461df4162dd19b1d5c0bdbcdb27400f75fa3c9d6c75d22
                                                                                            • Opcode Fuzzy Hash: b58299312a3cdd3909b0715474871ecb32ec46c9778bc54c7afda8582de321df
                                                                                            • Instruction Fuzzy Hash: 675153B4900349CFEB14CFAAC648BDEFBF1AF48314F248469E419A7290CB346885CB65
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0170AC68 Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0170AEAE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.414330987.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1700000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 41e515f70a1551d5d1fb02b5bdd13b36dd3e5906e607d4beb015a290300c0970
                                                                                            • Instruction ID: 15ee15ef8be98860c73d0af26ad152e95a35bb77b8dd25fa3446127ce3d6abe5
                                                                                            • Opcode Fuzzy Hash: 41e515f70a1551d5d1fb02b5bdd13b36dd3e5906e607d4beb015a290300c0970
                                                                                            • Instruction Fuzzy Hash: 3D712270A00B059FD725DF2AC44475AFBF5BF88204F008A2ED58ADBA84DB74E845CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01703FFC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 95 1703ffc-1705559 CreateActCtxA 98 1705562-17055bc 95->98 99 170555b-1705561 95->99 106 17055cb-17055cf 98->106 107 17055be-17055c1 98->107 99->98 108 17055e0 106->108 109 17055d1-17055dd 106->109 107->106 109->108
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 01705549
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.414330987.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1700000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: abeeb315181ea9230480ba85c565e81fd5702b785605b78d01d318b3794e32b6
                                                                                            • Instruction ID: f226b6d133b95bab592e7120d5dd939450b93f76e6039094d769f5221c518516
                                                                                            • Opcode Fuzzy Hash: abeeb315181ea9230480ba85c565e81fd5702b785605b78d01d318b3794e32b6
                                                                                            • Instruction Fuzzy Hash: 4341D271C04719CFDB24DFA9C944B8EFBB6BF48305F20806AD509AB251DBB55945CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0170D170 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 111 170d170-170d204 DuplicateHandle 112 170d206-170d20c 111->112 113 170d20d-170d22a 111->113 112->113
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0170D1F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.414330987.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1700000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 30f34bcaea2ac486dd8e2ce9c8acad7acaa13c4729627f9ed5b6da239a86a2ff
                                                                                            • Instruction ID: a657724792b35d36f9cc7aaee93e718683b10c0b85e96bac697ff2351c0d1e8d
                                                                                            • Opcode Fuzzy Hash: 30f34bcaea2ac486dd8e2ce9c8acad7acaa13c4729627f9ed5b6da239a86a2ff
                                                                                            • Instruction Fuzzy Hash: 3221E3B59002489FDB10CF9AD884BDEFFF8EB48320F14841AE914A3250C374A954CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0170D16A Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 116 170d16a-170d204 DuplicateHandle 117 170d206-170d20c 116->117 118 170d20d-170d22a 116->118 117->118
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0170D1F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.414330987.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1700000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: e85d243b90b00b2379dc335d85eda094e8412707b9dfacfab9895ec151506ba7
                                                                                            • Instruction ID: da609ebc0e5a6ad2cfe841486c2deea2d4ff9dea6b3332de8e08b0c951e5d684
                                                                                            • Opcode Fuzzy Hash: e85d243b90b00b2379dc335d85eda094e8412707b9dfacfab9895ec151506ba7
                                                                                            • Instruction Fuzzy Hash: A221E0B5D00248DFDB10CFAAD984BDEFBF4AB48324F15841AE914A3350D378A954CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01709FE0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 121 1709fe0-170b110 123 170b112-170b115 121->123 124 170b118-170b147 LoadLibraryExW 121->124 123->124 125 170b150-170b16d 124->125 126 170b149-170b14f 124->126 126->125
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0170AF29,00000800,00000000,00000000), ref: 0170B13A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.414330987.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1700000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 910aa43397161741e418f15e52adb006d5f9d6ed0a8a904f57408e6a84ee97c3
                                                                                            • Instruction ID: bc1e34d8df5e143dec0a6c56fa9eaf1e9077255baffe4e9e44eb31cbfbef366e
                                                                                            • Opcode Fuzzy Hash: 910aa43397161741e418f15e52adb006d5f9d6ed0a8a904f57408e6a84ee97c3
                                                                                            • Instruction Fuzzy Hash: 4011F2B69043099BDB10CF9AC444B9EFBF4AB88324F14842AE519A7240C374A545CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0170B0C8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 129 170b0c8-170b110 131 170b112-170b115 129->131 132 170b118-170b147 LoadLibraryExW 129->132 131->132 133 170b150-170b16d 132->133 134 170b149-170b14f 132->134 134->133
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0170AF29,00000800,00000000,00000000), ref: 0170B13A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.414330987.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1700000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 63e6eb47f2f7230faf64f017dc025606a068d3d9d3e20e33107e84b5c92e8e2e
                                                                                            • Instruction ID: 7b7a9399f47e2c48b6712813459846878006688e721078639dd0471add099332
                                                                                            • Opcode Fuzzy Hash: 63e6eb47f2f7230faf64f017dc025606a068d3d9d3e20e33107e84b5c92e8e2e
                                                                                            • Instruction Fuzzy Hash: 521103B69043499FDB11CF9AC848BDEFBF4AB89714F14842AE515A7240C374A545CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0170AE48 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 137 170ae48-170ae88 138 170ae90-170aebb GetModuleHandleW 137->138 139 170ae8a-170ae8d 137->139 140 170aec4-170aed8 138->140 141 170aebd-170aec3 138->141 139->138 141->140
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0170AEAE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.414330987.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1700000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: ea7a7cff276533acf5d52598662a15f72b82956efa64dbf4791a38831c3d59c5
                                                                                            • Instruction ID: 6f739a46420d6ac7c1e3969d7156bb199021cda209123302f0e4ddaaf56a8971
                                                                                            • Opcode Fuzzy Hash: ea7a7cff276533acf5d52598662a15f72b82956efa64dbf4791a38831c3d59c5
                                                                                            • Instruction Fuzzy Hash: FD11E0B5C003498FDB10CF9AC444BDFFBF4AB88224F14852AD919A7640C378A945CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0165D214 Relevance: .1, Instructions: 76COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.413869169.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_165d000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 262bf455f31843a90625b4fda8375af28adc3679d321333530cd6d58337fff02
                                                                                            • Instruction ID: 7ecd0ca8e7dbda216006c12196306f2de8f2cb091d45eb96093371a88655e070
                                                                                            • Opcode Fuzzy Hash: 262bf455f31843a90625b4fda8375af28adc3679d321333530cd6d58337fff02
                                                                                            • Instruction Fuzzy Hash: A321D675504240DFDB45CF94DDC0B2ABB65FB88364F24C569EE054B386C33AD856CBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0165D4DC Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.413869169.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_165d000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0845c38fd1aca3523873f1ca30faff4430dc4635baf4465fa9617728a51b8c7f
                                                                                            • Instruction ID: 2306c3f0a5c26a08084d3546e6a6fe891b5f6ce3e3028326a07ec3808e7a7bfd
                                                                                            • Opcode Fuzzy Hash: 0845c38fd1aca3523873f1ca30faff4430dc4635baf4465fa9617728a51b8c7f
                                                                                            • Instruction Fuzzy Hash: 3E21C1B1504244DFDB45DF94D9C0B2ABF66FB8832CF248569ED054B386C336D856CAA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0166D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.413923427.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_166d000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7f0a8a4b30fa212bc3e8dee59b38fe0518d70bb972d1721e4cd05b2e9d432138
                                                                                            • Instruction ID: f65db0485fb1bccd8d4a8d8c7151da4dff8b778658671d37a1a1ced57f6bd9b0
                                                                                            • Opcode Fuzzy Hash: 7f0a8a4b30fa212bc3e8dee59b38fe0518d70bb972d1721e4cd05b2e9d432138
                                                                                            • Instruction Fuzzy Hash: 132107B1604244EFDB05CF94D9C0B26BB6DFB84324F24C6ADDA894B346C77AD846CA61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0166D01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.413923427.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_166d000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e93e6dae0830a9987578e3eb2de731c2ae5045326483f3e5bb289d8d191b41dd
                                                                                            • Instruction ID: af4f3802397708a48964e5b2594c60db2156e16df5e7b6b566d0f6792d2a2aee
                                                                                            • Opcode Fuzzy Hash: e93e6dae0830a9987578e3eb2de731c2ae5045326483f3e5bb289d8d191b41dd
                                                                                            • Instruction Fuzzy Hash: B2213775604240DFDB15CF64D8C0B26BB69FB84354F24C569D98A4B346C33BD847CA61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0165D20F Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.413869169.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_165d000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 49b92d4b7f3bb37c30dae3e06af5016396b77cc37924594c503171f3577736fa
                                                                                            • Instruction ID: d29e2271a406e21b0bab9edb59e8f72e50f4de23787a72aba601d9a41ae05cdf
                                                                                            • Opcode Fuzzy Hash: 49b92d4b7f3bb37c30dae3e06af5016396b77cc37924594c503171f3577736fa
                                                                                            • Instruction Fuzzy Hash: 3C219D76404280DFDB46CF54D9C4B16BF72FB88320F28C6A9DD450A65AC33AD456CBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0165D4D7 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.413869169.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_165d000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
                                                                                            • Instruction ID: 054db3126a0cddd667e7da416a5e65fd1ce71dca69f2ec5934df9915c8445279
                                                                                            • Opcode Fuzzy Hash: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
                                                                                            • Instruction Fuzzy Hash: 8511B176404280CFDB02CF54D9C4B16BF72FB84328F2886A9DC450B756C33AD456CBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0166D017 Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.413923427.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_166d000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
                                                                                            • Instruction ID: ebbf836cc226f6a0da65943f4cbb755a2de27235a6b7428decb744a29f057102
                                                                                            • Opcode Fuzzy Hash: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
                                                                                            • Instruction Fuzzy Hash: 22118E75504280DFDB12CF54D9D4B15BB71FB84314F28C6AAD8894B756C33AD44ACB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0166D1CF Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.413923427.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_166d000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
                                                                                            • Instruction ID: aa26d186a68be81edf3378b5b944e959b0e384377d4b21fca4f8a8ea590ae147
                                                                                            • Opcode Fuzzy Hash: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
                                                                                            • Instruction Fuzzy Hash: 0411BB75A04280DFCB12CF54C9C4B15BBB5FB84224F28C6AAD9894B756C33AD44ACB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0165D75D Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.413869169.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_165d000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 07e7c6d78dc8717c4a3bd87d6b9f2c87f6d2f34c185121e10467bbd73bf12dd8
                                                                                            • Instruction ID: d85ca70d101cbf7cb3f73a70e9f050087942003a416cef771f1823f1568d7791
                                                                                            • Opcode Fuzzy Hash: 07e7c6d78dc8717c4a3bd87d6b9f2c87f6d2f34c185121e10467bbd73bf12dd8
                                                                                            • Instruction Fuzzy Hash: 6601A271509380AAE7519A66CC84B76FBD8EF41664F18C45AEE045B3C6C379E844C6B1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0165D75C Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.413869169.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_165d000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 03c61e2393e9a69698391672e834cb5e117ed43fc0dc8a081e6fd371e276c981
                                                                                            • Instruction ID: 2aceb31e57982cf9d9f9bf5cb6826dbfebe23bab31c99964c8038fb14b02b987
                                                                                            • Opcode Fuzzy Hash: 03c61e2393e9a69698391672e834cb5e117ed43fc0dc8a081e6fd371e276c981
                                                                                            • Instruction Fuzzy Hash: E1F06275404394AEE7518A1ACC84B76FFA8EF41634F18C45AED485B396C3799844CAB1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Execution Graph

                                                                                            Execution Coverage:16.8%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:64
                                                                                            Total number of Limit Nodes:2
                                                                                            execution_graph 18507 2b5add0 18508 2b5adee 18507->18508 18511 2b59dc0 18508->18511 18510 2b5ae25 18512 2b5c8f0 LoadLibraryA 18511->18512 18514 2b5c9cc 18512->18514 18546 2b54540 18547 2b54554 18546->18547 18550 2b5478a 18547->18550 18557 2b54986 18550->18557 18561 2b549e8 18550->18561 18565 2b5485f 18550->18565 18569 2b5496c 18550->18569 18573 2b54870 18550->18573 18551 2b5455d 18558 2b54999 18557->18558 18559 2b549ab 18557->18559 18577 2b54c67 18558->18577 18562 2b549ee 18561->18562 18563 2b54a00 18562->18563 18590 2b54f1f 18562->18590 18563->18551 18566 2b54870 18565->18566 18567 2b549ab 18566->18567 18568 2b54c67 2 API calls 18566->18568 18568->18567 18570 2b5491f 18569->18570 18571 2b549ab 18570->18571 18572 2b54c67 2 API calls 18570->18572 18572->18571 18574 2b548b4 18573->18574 18575 2b549ab 18574->18575 18576 2b54c67 2 API calls 18574->18576 18576->18575 18578 2b54c86 18577->18578 18582 2b54cc8 18578->18582 18586 2b54cbb 18578->18586 18579 2b54c96 18579->18559 18583 2b54d02 18582->18583 18584 2b54d2c RtlEncodePointer 18583->18584 18585 2b54d55 18583->18585 18584->18585 18585->18579 18587 2b54cc8 18586->18587 18588 2b54d2c RtlEncodePointer 18587->18588 18589 2b54d55 18587->18589 18588->18589 18589->18579 18591 2b54f8f 18590->18591 18592 2b54f2a 18590->18592 18593 2b54fd7 RtlEncodePointer 18591->18593 18594 2b55000 18591->18594 18592->18563 18593->18594 18594->18563 18515 5d661d8 18517 5d661e1 18515->18517 18516 5d662dd 18517->18516 18519 5d662f8 18517->18519 18520 5d66317 18519->18520 18521 5d6633f 18520->18521 18526 5d674d4 18520->18526 18530 5d67048 18520->18530 18538 5d6748d 18520->18538 18542 5d67446 18520->18542 18527 5d674e6 KiUserExceptionDispatcher 18526->18527 18529 5d67510 18527->18529 18529->18521 18531 5d6704e KiUserExceptionDispatcher 18530->18531 18533 5d6717a KiUserExceptionDispatcher 18531->18533 18535 5d67318 KiUserExceptionDispatcher 18533->18535 18537 5d67510 18535->18537 18537->18521 18539 5d6749f KiUserExceptionDispatcher 18538->18539 18541 5d67510 18539->18541 18541->18521 18543 5d67458 KiUserExceptionDispatcher 18542->18543 18545 5d67510 18543->18545 18545->18521

                                                                                            Executed Functions

                                                                                            Function 02B5AD20 Relevance: 1.5, Instructions: 1538COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637498036.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_2b50000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 589eed6d07aa3f9732a5630863d842c6ff01ef281bb4276c580f3b3ec35af059
                                                                                            • Instruction ID: 6897dffeb57565354a2b9abecc47c6b1bc7f26a3026ee195811cf595ee7971c8
                                                                                            • Opcode Fuzzy Hash: 589eed6d07aa3f9732a5630863d842c6ff01ef281bb4276c580f3b3ec35af059
                                                                                            • Instruction Fuzzy Hash: 25E2D871904229DFDB64DF64D990BDDBBB2EF88308F5189E6C609AB264DF305A81CF50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 05D6B710 Relevance: .9, Instructions: 894COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.644331840.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5d60000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 22c300b60ca24164b4d869a25a6909b7b94dbed9a50b0e7085374a196d18b0b7
                                                                                            • Instruction ID: a326b916795f57d60dc9160f26e52439ebfc864d7d1c026750761a0edff9025b
                                                                                            • Opcode Fuzzy Hash: 22c300b60ca24164b4d869a25a6909b7b94dbed9a50b0e7085374a196d18b0b7
                                                                                            • Instruction Fuzzy Hash: A2726F70A041199FDB14DFA8C844AAEBBF2FF89304F15856AE946EB361DB34DD42CB50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 05D6C460 Relevance: .9, Instructions: 889COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.644331840.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5d60000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c95330169fc8a9abfb7143e82c1f94848208e6873602c2002311ffc93974af3f
                                                                                            • Instruction ID: ea30652e38b50f56abafbce614016854a258c3550993485c36c4e2611cdf68f2
                                                                                            • Opcode Fuzzy Hash: c95330169fc8a9abfb7143e82c1f94848208e6873602c2002311ffc93974af3f
                                                                                            • Instruction Fuzzy Hash: AE823D70A15605DFCB24CF68C984EAEBBF2BF88314F15855AE485EB261D730ED42CB51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 05D6F1B8 Relevance: .6, Instructions: 634COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2295 5d6f1b8-5d6f1c8 2296 5d6f1e0-5d6f1f1 2295->2296 2297 5d6f1ca-5d6f1d0 2295->2297 2302 5d6f1f7-5d6f200 2296->2302 2303 5d6f3e4-5d6f3f7 2296->2303 2298 5d6f1d4-5d6f1de 2297->2298 2299 5d6f1d2 2297->2299 2298->2296 2299->2296 2304 5d6f206-5d6f226 call 5d6eb48 2302->2304 2305 5d6f3fe-5d6f427 2302->2305 2303->2305 2316 5d6f234-5d6f23a 2304->2316 2317 5d6f228-5d6f22a 2304->2317 2309 5d6f44c-5d6f461 2305->2309 2310 5d6f429-5d6f433 2305->2310 2325 5d6f486-5d6f496 2309->2325 2326 5d6f463-5d6f477 2309->2326 2313 5d6f435-5d6f446 2310->2313 2314 5d6f448-5d6f44b 2310->2314 2313->2314 2319 5d6f23c-5d6f23f 2316->2319 2320 5d6f24b-5d6f251 2316->2320 2317->2316 2324 5d6f246 2319->2324 2320->2305 2322 5d6f257-5d6f27c call 5d6eb48 2320->2322 2339 5d6f27e-5d6f281 2322->2339 2340 5d6f28b-5d6f297 2322->2340 2327 5d6f3d7-5d6f3de 2324->2327 2334 5d6f498-5d6f49b 2325->2334 2329 5d6f49c-5d6f4ad 2326->2329 2330 5d6f479-5d6f483 2326->2330 2337 5d6f4d2-5d6f500 2329->2337 2338 5d6f4af-5d6f4cf 2329->2338 2333 5d6f485 2330->2333 2330->2334 2333->2325 2491 5d6f502 call 2b55f60 2337->2491 2492 5d6f502 call 2b55f88 2337->2492 2493 5d6f502 call 2b55f7b 2337->2493 2338->2337 2339->2340 2341 5d6f2a9-5d6f2af 2340->2341 2342 5d6f299-5d6f2a4 2340->2342 2341->2305 2343 5d6f2b5-5d6f2da call 5d6eb48 2341->2343 2342->2327 2351 5d6f2dc-5d6f2df 2343->2351 2352 5d6f2e9-5d6f2f5 2343->2352 2351->2352 2353 5d6f2f7-5d6f305 2352->2353 2354 5d6f30a-5d6f30f 2352->2354 2353->2327 2356 5d6f315-5d6f318 2354->2356 2357 5d6f3df 2354->2357 2356->2357 2358 5d6f31e-5d6f334 2356->2358 2357->2303 2358->2305 2363 5d6f33a-5d6f343 2358->2363 2359 5d6f507-5d6f51e 2367 5d6f520-5d6f523 2359->2367 2368 5d6f528-5d6f568 2359->2368 2363->2305 2364 5d6f349-5d6f355 2363->2364 2364->2305 2366 5d6f35b-5d6f364 2364->2366 2366->2357 2369 5d6f366-5d6f372 2366->2369 2370 5d6f9cd-5d6f9d6 2367->2370 2389 5d6f572-5d6f575 2368->2389 2390 5d6f56a-5d6f56d 2368->2390 2371 5d6f374 2369->2371 2372 5d6f3cc-5d6f3cf 2369->2372 2374 5d6f377-5d6f37c 2371->2374 2372->2327 2374->2305 2375 5d6f382-5d6f3a3 call 5d6eb48 2374->2375 2382 5d6f3a5-5d6f3a7 2375->2382 2383 5d6f3b1-5d6f3bc 2375->2383 2382->2383 2383->2305 2385 5d6f3be-5d6f3c5 2383->2385 2385->2357 2386 5d6f3c7-5d6f3ca 2385->2386 2386->2372 2386->2374 2391 5d6f997 2389->2391 2392 5d6f57b-5d6f585 2389->2392 2390->2370 2395 5d6f99c-5d6f9c8 2391->2395 2393 5d6f992-5d6f995 2392->2393 2394 5d6f58b-5d6f5bf 2392->2394 2393->2370 2394->2395 2403 5d6f5c5-5d6f5e1 2394->2403 2395->2370 2403->2395 2407 5d6f5e7-5d6f5f1 2403->2407 2407->2395 2408 5d6f5f7-5d6f60d 2407->2408 2408->2395 2410 5d6f613-5d6f850 2408->2410 2410->2395 2455 5d6f856-5d6f85d 2410->2455 2455->2395 2456 5d6f863-5d6f86a 2455->2456 2456->2395 2457 5d6f870-5d6f88e 2456->2457 2459 5d6f8a5-5d6f8ac 2457->2459 2460 5d6f890-5d6f894 2457->2460 2462 5d6f8ae-5d6f8b2 2459->2462 2463 5d6f8e9-5d6f8ef 2459->2463 2460->2395 2461 5d6f89a-5d6f8a2 2460->2461 2461->2459 2462->2395 2466 5d6f8b8-5d6f8e6 call 5d6eb48 2462->2466 2464 5d6f905-5d6f91f 2463->2464 2465 5d6f8f1-5d6f8f5 2463->2465 2477 5d6f921-5d6f933 2464->2477 2478 5d6f97e-5d6f984 2464->2478 2465->2395 2467 5d6f8fb-5d6f903 2465->2467 2466->2463 2467->2464 2477->2478 2483 5d6f935-5d6f977 2477->2483 2478->2391 2480 5d6f986-5d6f98c 2478->2480 2480->2393 2480->2394 2483->2478 2491->2359 2492->2359 2493->2359
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.644331840.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5d60000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 66fffe02e49c9c3540844cf7ec279686eb587e66de437bf03203b24d7335b93c
                                                                                            • Instruction ID: 1e9bf071a17456db8c472b0a2c312df7f00416f0fc2ea3ce41cc31ff881b8ed3
                                                                                            • Opcode Fuzzy Hash: 66fffe02e49c9c3540844cf7ec279686eb587e66de437bf03203b24d7335b93c
                                                                                            • Instruction Fuzzy Hash: 7C220230B006169FDB14EBB4D854BAEB7E3AFC5204F15846AE51AEF394DB349C02CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02B5F3C8 Relevance: .3, Instructions: 281COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637498036.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_2b50000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 746db3b7a47ead3a1124b1aa96ccf8764562a7090b270f4af24c26314814f48f
                                                                                            • Instruction ID: 86247d24d0cba43570c8de6f20f479ded080f6c1cc37414137d6ad74d8909e55
                                                                                            • Opcode Fuzzy Hash: 746db3b7a47ead3a1124b1aa96ccf8764562a7090b270f4af24c26314814f48f
                                                                                            • Instruction Fuzzy Hash: E5B14D70E002298FDB10CFA9D8857AEFBF2FF89308F148169D815AB694DB749845CF91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02B5F080 Relevance: .2, Instructions: 238COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637498036.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_2b50000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: eb8d0562cfe12102d8170561572db4c45b0d50e98763374c0fc5cea877eb7128
                                                                                            • Instruction ID: 043e44e675a1050c1d3cc135ee7fd66df5e1b60d93fe7aa91139fdf2d8365306
                                                                                            • Opcode Fuzzy Hash: eb8d0562cfe12102d8170561572db4c45b0d50e98763374c0fc5cea877eb7128
                                                                                            • Instruction Fuzzy Hash: CF915170E002198FDB10CFA9C9857ADFBF2EF89308F148169E805AB654DB749886CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 05D67048 Relevance: 4.8, APIs: 3, Instructions: 347COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 05D6715B
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 05D672FC
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 05D674F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.644331840.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5d60000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 7e8a4f5450f29ba5dcf4ca3198289efe753d36b868f8e5c00b623ef4b94f6f18
                                                                                            • Instruction ID: 1ee04bccb8f5105442664aed039eafdc1b99c1f6b58ed1598d1654053397ab13
                                                                                            • Opcode Fuzzy Hash: 7e8a4f5450f29ba5dcf4ca3198289efe753d36b868f8e5c00b623ef4b94f6f18
                                                                                            • Instruction Fuzzy Hash: 7B027475901369CFCB65DB34D88D699BBB2FF4930AF1041DAD44AA2350CB3A9E82CF51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 05D67446 Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 144 5d67446-5d67d6a KiUserExceptionDispatcher call 5d6f1b8 243 5d67d70-5d67db5 144->243
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 05D674F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.644331840.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5d60000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: f0532cc7a849061cab177bce4e1de99b3784ab97a8c79aa0ba3260ee9cc93611
                                                                                            • Instruction ID: f72fb121ba547a2e47bb9694ba6b81691940bb5e60d61c41f1abcaeaac6d9619
                                                                                            • Opcode Fuzzy Hash: f0532cc7a849061cab177bce4e1de99b3784ab97a8c79aa0ba3260ee9cc93611
                                                                                            • Instruction Fuzzy Hash: A2D18335901369CFCB65DB34D88D699BBB2FF4930AF1041DAD44AA2350DB3A9E82CF51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 05D6748D Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 247 5d6748d-5d67d6a KiUserExceptionDispatcher call 5d6f1b8 343 5d67d70-5d67db5 247->343
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 05D674F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.644331840.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5d60000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: b1ec8130397cc9d32af3654962ef8b705a48aa57b40f90365f90ab3a6af36af6
                                                                                            • Instruction ID: ffee477831a20bbdccd13c40d809ab7f0fbecd1485d383c2a10836e6916b303f
                                                                                            • Opcode Fuzzy Hash: b1ec8130397cc9d32af3654962ef8b705a48aa57b40f90365f90ab3a6af36af6
                                                                                            • Instruction Fuzzy Hash: D2C19335901369CFCB65DB34D88D699BBB2FF4930AF1041DAD44AA2350CB3A9E81CF51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 05D674D4 Relevance: 1.7, APIs: 1, Instructions: 229COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 347 5d674d4-5d67d6a KiUserExceptionDispatcher call 5d6f1b8 440 5d67d70-5d67db5 347->440
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 05D674F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.644331840.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5d60000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 21793ca06b065cbcb1916b1922bacee8b67d1d3c362f62cdcee035b885a10625
                                                                                            • Instruction ID: 7985a229ebf8c56a6c3c4650f20ad5a3c4f303b30d4a7fa8bb166c495162fa1b
                                                                                            • Opcode Fuzzy Hash: 21793ca06b065cbcb1916b1922bacee8b67d1d3c362f62cdcee035b885a10625
                                                                                            • Instruction Fuzzy Hash: 26C19335905369CFCB65EB34D88D699BBB2FF4530AF1041DAD44AA2350CB3A9E82CF51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02B5C8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 444 2b5c8e4-2b5c947 445 2b5c980-2b5c9ca LoadLibraryA 444->445 446 2b5c949-2b5c953 444->446 453 2b5c9d3-2b5ca04 445->453 454 2b5c9cc-2b5c9d2 445->454 446->445 447 2b5c955-2b5c957 446->447 448 2b5c959-2b5c963 447->448 449 2b5c97a-2b5c97d 447->449 451 2b5c965 448->451 452 2b5c967-2b5c976 448->452 449->445 451->452 452->452 455 2b5c978 452->455 458 2b5ca14 453->458 459 2b5ca06-2b5ca0a 453->459 454->453 455->449 461 2b5ca15 458->461 459->458 460 2b5ca0c 459->460 460->458 461->461
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 02B5C9BA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637498036.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_2b50000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: b87b2dbe89c996f3881b325d1613ce6886273083c205c62dbe3801d59c762dd1
                                                                                            • Instruction ID: 858e598f6300817976713d4073b203646012bd5c5e284b5acfecca04ae67a814
                                                                                            • Opcode Fuzzy Hash: b87b2dbe89c996f3881b325d1613ce6886273083c205c62dbe3801d59c762dd1
                                                                                            • Instruction Fuzzy Hash: 173134B1D003598FDB15CFA8C48579EBFB2EB08314F14856AE856AB280D7749481CF96
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02B59DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 462 2b59dc0-2b5c947 464 2b5c980-2b5c9ca LoadLibraryA 462->464 465 2b5c949-2b5c953 462->465 472 2b5c9d3-2b5ca04 464->472 473 2b5c9cc-2b5c9d2 464->473 465->464 466 2b5c955-2b5c957 465->466 467 2b5c959-2b5c963 466->467 468 2b5c97a-2b5c97d 466->468 470 2b5c965 467->470 471 2b5c967-2b5c976 467->471 468->464 470->471 471->471 474 2b5c978 471->474 477 2b5ca14 472->477 478 2b5ca06-2b5ca0a 472->478 473->472 474->468 480 2b5ca15 477->480 478->477 479 2b5ca0c 478->479 479->477 480->480
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 02B5C9BA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637498036.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_2b50000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: bec2761fb05376fc6d8cc039aa431d789f1aa14199059cde89cefa125d568d04
                                                                                            • Instruction ID: eec10dd820635028052b6496458da4a510302d150e739fe444b26995cfc9c935
                                                                                            • Opcode Fuzzy Hash: bec2761fb05376fc6d8cc039aa431d789f1aa14199059cde89cefa125d568d04
                                                                                            • Instruction Fuzzy Hash: 6A3125B0D003699FDB14CFA9C48579EBFF2FB08314F14856AE855AB280D7789445CF95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02B54F1F Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1100 2b54f1f-2b54f28 1101 2b54f8f-2b54fb8 call 2b54da0 call 2b54df8 1100->1101 1102 2b54f2a-2b54f3e call 2b54838 1100->1102 1111 2b54fbe 1101->1111 1112 2b54fba-2b54fbc 1101->1112 1110 2b54f4e-2b54f66 call 2b54a88 1102->1110 1113 2b54fc3-2b54fcb 1111->1113 1112->1113 1115 2b55027-2b55039 1113->1115 1116 2b54fcd-2b54ffe RtlEncodePointer 1113->1116 1119 2b55007-2b5501d 1116->1119 1120 2b55000-2b55006 1116->1120 1119->1115 1120->1119
                                                                                            APIs
                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02B54FED
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637498036.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_2b50000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: EncodePointer
                                                                                            • String ID:
                                                                                            • API String ID: 2118026453-0
                                                                                            • Opcode ID: 95ac75a5f7fba2b5e26d9c4bdfa62c8bf56fc6deca347efd5d676a5bf4f26e06
                                                                                            • Instruction ID: 7eabc0c2519f7572ae52f805c7603068e780edd51a847e18fb41ef7a9b3e7fc8
                                                                                            • Opcode Fuzzy Hash: 95ac75a5f7fba2b5e26d9c4bdfa62c8bf56fc6deca347efd5d676a5bf4f26e06
                                                                                            • Instruction Fuzzy Hash: 42218C708153548FDB60DFA8D4493ADBBF4FB49318F10445AE808EB241DB799584CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02B54CBB Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1122 2b54cbb-2b54d0a 1126 2b54d10 1122->1126 1127 2b54d0c-2b54d0e 1122->1127 1128 2b54d15-2b54d20 1126->1128 1127->1128 1129 2b54d81-2b54d8e 1128->1129 1130 2b54d22-2b54d53 RtlEncodePointer 1128->1130 1132 2b54d55-2b54d5b 1130->1132 1133 2b54d5c-2b54d7c 1130->1133 1132->1133 1133->1129
                                                                                            APIs
                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02B54D42
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637498036.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_2b50000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: EncodePointer
                                                                                            • String ID:
                                                                                            • API String ID: 2118026453-0
                                                                                            • Opcode ID: 00baf93802d72543cf2eec9ac908a5d066749db3a995787f03a5ebbe25eacea4
                                                                                            • Instruction ID: 1f4a4cc8a9271ed976bc82df09fe79c3e5ba13a7d3980e4bf45633a89e7d5e7b
                                                                                            • Opcode Fuzzy Hash: 00baf93802d72543cf2eec9ac908a5d066749db3a995787f03a5ebbe25eacea4
                                                                                            • Instruction Fuzzy Hash: A3219AB19013458FDB50DFA9D50839EBBF4FB49318F148469D808F7680D778A444CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02B54CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1135 2b54cc8-2b54d0a 1138 2b54d10 1135->1138 1139 2b54d0c-2b54d0e 1135->1139 1140 2b54d15-2b54d20 1138->1140 1139->1140 1141 2b54d81-2b54d8e 1140->1141 1142 2b54d22-2b54d53 RtlEncodePointer 1140->1142 1144 2b54d55-2b54d5b 1142->1144 1145 2b54d5c-2b54d7c 1142->1145 1144->1145 1145->1141
                                                                                            APIs
                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02B54D42
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637498036.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_2b50000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID: EncodePointer
                                                                                            • String ID:
                                                                                            • API String ID: 2118026453-0
                                                                                            • Opcode ID: 3ebb4d81f769db60b6d524f3600e056b2640c91d99d6c6c553a734890d32b98e
                                                                                            • Instruction ID: 17f9d1bead84651f3b4f7d4df3298dc706ca0dee0c55c96aba62183e504e6bf9
                                                                                            • Opcode Fuzzy Hash: 3ebb4d81f769db60b6d524f3600e056b2640c91d99d6c6c553a734890d32b98e
                                                                                            • Instruction Fuzzy Hash: 94119AB19013558FDB50DFA9D50879EBFF4EB49314F108469D804F7680DB786884CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010AD4D8 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637056032.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_10ad000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c7bb2f6d37e1812e159258cfdd3ca48058789495c2f2b071b2f6fd4efdc90c3b
                                                                                            • Instruction ID: d61de8bd2f9f17e84c93ff9a999259ac00e04eafde229f4baf10093a1f98a7a9
                                                                                            • Opcode Fuzzy Hash: c7bb2f6d37e1812e159258cfdd3ca48058789495c2f2b071b2f6fd4efdc90c3b
                                                                                            • Instruction Fuzzy Hash: B8214CB1504204DFDB05CFE4D9C4B1ABFA5FB88328F6485A9D9854B606C336D856CBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010AD3EC Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637056032.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_10ad000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4a347759418fe704f36d89d1640f3ff90cccab83c4d72056d4b74b2c5172b9aa
                                                                                            • Instruction ID: 6c245414dcd4def2fe2241304f3e36ab2f098e9eeec739e72c6f9de7e96b1fe7
                                                                                            • Opcode Fuzzy Hash: 4a347759418fe704f36d89d1640f3ff90cccab83c4d72056d4b74b2c5172b9aa
                                                                                            • Instruction Fuzzy Hash: DF2148B1504200DFDB01DFD4C8C0B6ABBA5FB84324F64C6A9E9894B607C73AE846C7A1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010BE3F0 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637138075.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_10bd000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d8598af5bdc4c77d7a34af715e118eaed6eb2eed5ce248439fde358b251acab0
                                                                                            • Instruction ID: 23040d3d9044f086c902b156bb1fb5b8d20e221bd2824ac5851903aedaeb818f
                                                                                            • Opcode Fuzzy Hash: d8598af5bdc4c77d7a34af715e118eaed6eb2eed5ce248439fde358b251acab0
                                                                                            • Instruction Fuzzy Hash: 89210775604204DFDB05CF24D9C4BA6BBA5FB84314F24C9A9D9894B346CB3ED846CB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010AD4D3 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637056032.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_10ad000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
                                                                                            • Instruction ID: 11e410d851fca6e12fedc861f4c11127d1b168bdd7e895aa1bc20865d5ea1397
                                                                                            • Opcode Fuzzy Hash: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
                                                                                            • Instruction Fuzzy Hash: 2B11D376404280CFCB12CF54D5C4B16BFB1FB84324F2886A9D8850B617C33AD456CBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010AD3E7 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637056032.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_10ad000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
                                                                                            • Instruction ID: 25ffb08399f7844f06b2a81db96c541c0e63087a4e699cc0ca4ad3fb77dc557c
                                                                                            • Opcode Fuzzy Hash: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
                                                                                            • Instruction Fuzzy Hash: F211D376404280DFCB12CF54D5C4B56BFB2FB84320F28C6A9D8494BA17C33AE456CBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 010BE3EB Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.637138075.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_10bd000_WLmNdxIHr3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
                                                                                            • Instruction ID: 1fab38e1a5b6f984a8416b4713b3f03d14e40e60d3bca128c0a422d39b4b1063
                                                                                            • Opcode Fuzzy Hash: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
                                                                                            • Instruction Fuzzy Hash: 0E118B79504280DFDB52CF14D5C4B95BFA1FB84324F28C6AAD8894B656C33AD44ACB61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%