Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rZ3LaKxraF

Overview

General Information

Sample Name:rZ3LaKxraF (renamed file extension from none to exe)
Analysis ID:679204
MD5:f8b7ccfaa25ad7547501496c248c178e
SHA1:aae29f7ef62d5329c27c2040ed573d0ddc9a522e
SHA256:42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b
Tags:exeRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Remcos RAT
Antivirus / Scanner detection for submitted sample
Detected Remcos RAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • rZ3LaKxraF.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\rZ3LaKxraF.exe" MD5: F8B7CCFAA25AD7547501496C248C178E)
    • schtasks.exe (PID: 6684 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rZ3LaKxraF.exe (PID: 6800 cmdline: {path} MD5: F8B7CCFAA25AD7547501496C248C178E)
    • rZ3LaKxraF.exe (PID: 6856 cmdline: {path} MD5: F8B7CCFAA25AD7547501496C248C178E)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "37.120.210.219:3398:kehinde#2020|", "Assigned name": "jd", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_enhatfsgar", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "vbmcdsb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
      • 0xb7c8c:$remcos: Remcos
      • 0xb8500:$remcos: Remcos
      • 0xb8538:$url: Breaking-Security.Net
      • 0xbcd42:$resource: SETTINGS
      00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.rZ3LaKxraF.exe.43cfc58.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0.2.rZ3LaKxraF.exe.43cfc58.2.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
            • 0x10738:$s1: \Classes\mscfile\shell\open\command
            • 0x10720:$s2: eventvwr.exe
            0.2.rZ3LaKxraF.exe.43cfc58.2.unpackRemcos_1Remcos Payloadkevoreilly
            • 0x11034:$name: Remcos
            • 0x118a8:$name: Remcos
            • 0x118fb:$name: REMCOS
            • 0x10688:$time: %02i:%02i:%02i:%03i
            • 0x11320:$time: %02i:%02i:%02i:%03i
            • 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
            0.2.rZ3LaKxraF.exe.43cfc58.2.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
            • 0x11034:$remcos: Remcos
            • 0x118a8:$remcos: Remcos
            • 0x118e0:$url: Breaking-Security.Net
            • 0x160ea:$resource: SETTINGS
            0.2.rZ3LaKxraF.exe.43cfc58.2.unpackREMCOS_RAT_variantsunknownunknown
            • 0x114dc:$funcs1: autogetofflinelogs
            • 0x114c0:$funcs2: clearlogins
            • 0x114f0:$funcs3: getofflinelogs
            • 0x11578:$funcs4: execcom
            • 0x114cc:$funcs5: deletekeylog
            • 0x11798:$funcs6: remscriptexecd
            • 0x115bc:$funcs7: getwindows
            • 0x10da0:$funcs8: fundlldata
            • 0x10d78:$funcs9: getfunlib
            • 0x107ec:$funcs10: autofflinelogs
            • 0x113b8:$funcs11: getclipboard
            • 0x114b4:$funcs12: getscrslist
            • 0x107e0:$funcs13: offlinelogs
            • 0x105c8:$funcs14: getcamsingleframe
            • 0x116e4:$funcs15: listfiles
            • 0x115e0:$funcs16: getproclist
            • 0x10828:$funcs17: onlinelogs
            • 0x11700:$funcs18: getdrives
            • 0x11784:$funcs19: remscriptsuccess
            • 0x10600:$funcs20: getcamframe
            • 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
            Click to see the 16 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.737.120.210.2194977433982841134 08/05/22-12:03:58.881678
            SID:2841134
            Source Port:49774
            Destination Port:3398
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: rZ3LaKxraF.exeReversingLabs: Detection: 47%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6856, type: MEMORYSTR
            Antivirus / Scanner detection for submitted sample
            Source: rZ3LaKxraF.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exeAvira: detection malicious, Label: HEUR/AGEN.1208404
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exeReversingLabs: Detection: 47%
            Machine Learning detection for sample
            Source: rZ3LaKxraF.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exeJoe Sandbox ML: detected
            Source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "37.120.210.219:3398:kehinde#2020|", "Assigned name": "jd", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_enhatfsgar", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "vbmcdsb"}
            Source: rZ3LaKxraF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: rZ3LaKxraF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0312CA48

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2841134 ETPRO TROJAN Win32/Remcos RAT Checkin 348 192.168.2.7:49774 -> 37.120.210.219:3398
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPE
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 37.120.210.219
            Source: Joe Sandbox ViewASN Name: M247GB M247GB
            Source: global trafficTCP traffic: 192.168.2.7:49774 -> 37.120.210.219:3398
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\rZ3LaKxraF.exeJump to behavior
            Source: rZ3LaKxraF.exe, 00000000.00000002.403374289.00000000015C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6856, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.rZ3LaKxraF.exe.33b18cc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large strings
            Source: rZ3LaKxraF.exe, frmMainForm.csLong String: Length: 20037
            Source: ohnfNTVBamkg.exe.0.dr, frmMainForm.csLong String: Length: 20037
            Source: 0.0.rZ3LaKxraF.exe.f00000.0.unpack, frmMainForm.csLong String: Length: 20037
            Source: rZ3LaKxraF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.rZ3LaKxraF.exe.33b18cc.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031277800_2_03127780
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031284280_2_03128428
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031240880_2_03124088
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03122CC80_2_03122CC8
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031277700_2_03127770
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031257B00_2_031257B0
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031237A00_2_031237A0
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03126FF00_2_03126FF0
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03126FE00_2_03126FE0
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031286900_2_03128690
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031286A00_2_031286A0
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031281190_2_03128119
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031245300_2_03124530
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031281280_2_03128128
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03127D570_2_03127D57
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031231680_2_03123168
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031284180_2_03128418
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_0312003A0_2_0312003A
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031200400_2_03120040
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03122CB80_2_03122CB8
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_0320C5F40_2_0320C5F4
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_0320E9000_2_0320E900
            Source: rZ3LaKxraF.exe, 00000000.00000002.403374289.00000000015C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.411653562.0000000007840000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiZpEr.exeB vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000000.349335264.0000000000F02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiZpEr.exeB vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.412112115.0000000007A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exeBinary or memory string: OriginalFilenameiZpEr.exeB vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: rZ3LaKxraF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: rZ3LaKxraF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ohnfNTVBamkg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ohnfNTVBamkg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ohnfNTVBamkg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: rZ3LaKxraF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: ohnfNTVBamkg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: rZ3LaKxraF.exeReversingLabs: Detection: 47%
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile read: C:\Users\user\Desktop\rZ3LaKxraF.exeJump to behavior
            Source: rZ3LaKxraF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe "C:\Users\user\Desktop\rZ3LaKxraF.exe"
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmpJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile created: C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exeJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC7FE.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/4@0/1
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: rZ3LaKxraF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeMutant created: \Sessions\1\BaseNamedObjects\remcos_enhatfsgar
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeMutant created: \Sessions\1\BaseNamedObjects\AlkQUlEgEPdgdvFu
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: rZ3LaKxraF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: rZ3LaKxraF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: rZ3LaKxraF.exe, frmMainForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: ohnfNTVBamkg.exe.0.dr, frmMainForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: 0.0.rZ3LaKxraF.exe.f00000.0.unpack, frmMainForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03120006 push ss; iretd 0_2_0312001D
            Source: initial sampleStatic PE information: section name: .text entropy: 7.651863680261729
            Source: initial sampleStatic PE information: section name: .text entropy: 7.651863680261729
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile created: C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.33b18cc.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000002.614044963.0000000000410000.00000040.00000400.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: rZ3LaKxraF.exe, 00000007.00000002.614044963.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: R`\SOSBIEDLL.DLL
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exe TID: 6436Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exe TID: 6988Thread sleep count: 552 > 30Jump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exe TID: 6988Thread sleep time: -5520000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeWindow / User API: threadDelayed 552Jump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000002.614044963.0000000000410000.00000040.00000400.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000002.614044963.0000000000410000.00000040.00000400.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: @HARDWARE\ACPI\DSDT\VBOX__PROCMON_WINDOW_CLASSPROCEXPL21invalid vector<T> subscript?playaudiodatafmt WAVERIFF.wav%Y-%m-%d %H.%MgetcamsingleframenocamerastartcamcapclosecamgetcamframeinitcamcapFreeFrameGetFrameCloseCameraOpenCameracamdlldatacamframe|dmc|[DataStart][DataStart]0000%02i:%02i:%02i:%03i [KeepAlive] Enabled! (Timeout: %i seconds)
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeMemory written: C:\Users\user\Desktop\rZ3LaKxraF.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmpJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}Jump to behavior
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageranager
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: art]Bpong|cmd|0|cmd|Program Manager|cmd|128|cmd|52116843rontdesk|cmd|~~
            Source: rZ3LaKxraF.exe, 00000007.00000002.614412727.0000000002A8D000.00000004.00000010.00020000.00000000.sdmp, logs.dat.7.drBinary or memory string: [ Program Manager ]
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d|0|cmd|Program ManageruesdayWedWednesdayThu
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|rMarchAprAprilMa
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|128|cmd|
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|128|cmd|521168439
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|128vNovemberDecDe
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Users\user\Desktop\rZ3LaKxraF.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6856, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6856, type: MEMORYSTR
            Detected Remcos RAT
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
            Source: rZ3LaKxraF.exe, 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: rZ3LaKxraF.exe, 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
            Source: rZ3LaKxraF.exe, 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: rZ3LaKxraF.exe, 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		112
            Process Injection            		1
            Masquerading            		111
            Input Capture            		1
            Query Registry            		Remote Services111
            Input Capture            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory21
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Remote Access Software            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
            Process Injection            		NTDS21
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureScheduled Transfer1
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common12
            Software Packing            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rZ3LaKxraF.exe48%ReversingLabsByteCode-MSIL.Spyware.SnakeLogger
            rZ3LaKxraF.exe100%AviraHEUR/AGEN.1208404
            rZ3LaKxraF.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exe100%AviraHEUR/AGEN.1208404
            C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exe48%ReversingLabsByteCode-MSIL.Spyware.SnakeLogger

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.0.rZ3LaKxraF.exe.f00000.0.unpack100%AviraHEUR/AGEN.1208404Download File
            7.0.rZ3LaKxraF.exe.400000.0.unpack100%AviraHEUR/AGEN.1219514Download File
            0.2.rZ3LaKxraF.exe.43cfc58.2.unpack100%AviraHEUR/AGEN.1219514Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            37.120.210.2190%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            37.120.210.219true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designersGrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTherZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.tiro.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.goodfont.co.krrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTherZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaserZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fonts.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.krrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaserZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sakkal.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  37.120.210.219
                                  		unknownRomania
                                  		9009M247GBtrue

                                  General Information

                                  Joe Sandbox Version:35.0.0 Citrine
                                  Analysis ID:679204
                                  Start date and time: 05/08/202212:01:062022-08-05 12:01:06 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 7m 44s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:rZ3LaKxraF (renamed file extension from none to exe)
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:19
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@8/4@0/1
                                  EGA Information:
                                  • Successful, ratio: 50%
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 93%
                                  • Number of executed functions: 26
                                  • Number of non-executed functions: 14
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.82.210.154
                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, store-images.s-microsoft.com, login.live.com, ctldl.windowsupdate.com, arc.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                  • Execution Graph export aborted for target rZ3LaKxraF.exe, PID 6856 because there are no executed function
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: rZ3LaKxraF.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  12:03:08API Interceptor808x Sleep call for process: rZ3LaKxraF.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  37.120.210.219Debit note JULY 2022.exeGet hashmaliciousBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    M247GBhVAj77o331.exeGet hashmaliciousBrowse
                                    • 37.120.198.220
                                    SecuriteInfo.com.Variant.Lazy.229565.27362.exeGet hashmaliciousBrowse
                                    • 194.36.111.59
                                    4pX5WfHUMR.dllGet hashmaliciousBrowse
                                    • 37.120.206.71
                                    9GFOTeXnq3.dllGet hashmaliciousBrowse
                                    • 37.120.206.71
                                    2hFftAa8Hf.exeGet hashmaliciousBrowse
                                    • 194.36.111.59
                                    HSBC Payment Advice^^^^^^^^^^^^^^^^^^^PDF.scrGet hashmaliciousBrowse
                                    • 195.206.105.227
                                    FmpSGuzHvh.exeGet hashmaliciousBrowse
                                    • 194.36.111.59
                                    e6gEx2Lr6u.dllGet hashmaliciousBrowse
                                    • 37.120.206.71
                                    62ea3f935563b.dllGet hashmaliciousBrowse
                                    • 37.120.206.71
                                    294512_SOA 02 AUG 2022^^^^^^^^^^PDF.scrGet hashmaliciousBrowse
                                    • 185.156.175.51
                                    uEMWdMV4Mf.exeGet hashmaliciousBrowse
                                    • 45.74.4.244
                                    https://918066.brlght-gene.com/?email=michelle.butler@cambrex.comGet hashmaliciousBrowse
                                    • 89.41.26.95
                                    https://918066.brlght-gene.com/?email=michelle.butler@cambrex.comGet hashmaliciousBrowse
                                    • 89.41.26.95
                                    C4HrwR0M4uGet hashmaliciousBrowse
                                    • 45.86.28.55
                                    VOlsAHaePY.exeGet hashmaliciousBrowse
                                    • 37.120.217.243
                                    http://wwww.kambohstream.xyz/2022/05/ch90.htmlGet hashmaliciousBrowse
                                    • 38.132.109.186
                                    OqrBUGKdjoGet hashmaliciousBrowse
                                    • 45.11.2.200
                                    RqDJUmrhxz.dllGet hashmaliciousBrowse
                                    • 185.158.248.14
                                    kvdBWsp4lB.exeGet hashmaliciousBrowse
                                    • 185.158.248.14
                                    T7bVTrUXsM.exeGet hashmaliciousBrowse
                                    • 185.158.248.14

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rZ3LaKxraF.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.355304211458859
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                    MD5:69206D3AF7D6EFD08F4B4726998856D3
                                    SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                    SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                    SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                    C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1661
                                    Entropy (8bit):5.174023600988245
                                    Encrypted:false
                                    SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1Ntn:cbhH7MlNQ8/rydbz9I3YODOLNdq3v
                                    MD5:221CE6A07FB67113112AED2562CBF3B3
                                    SHA1:39FEC1C7C72BB5C740C24412537B4F429486708F
                                    SHA-256:6B98B72DA3B6BDBDBF83DE716C1D1F8F50D43E71FA28FB26239111128900F414
                                    SHA-512:73EB9B348394B3BCB36AC00EC6CC7F636EB45EDB3DDA29682A0A7D943D1BF9BC99B641706DF93C59E61C73EE80C5E7B871956F7AD179C8B8E15964C9D4594C6B
                                    Malicious:true
                                    Reputation:low
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

                                    C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):703488
                                    Entropy (8bit):6.9630413774878415
                                    Encrypted:false
                                    SSDEEP:12288:2u82iNDXR0NSqCGCHw1jZIvNds4mcGrONHhbP7r9r/+ppppppppppppppppppppZ:E1rvqCGCQJZIvoYGoHhb1qH
                                    MD5:F8B7CCFAA25AD7547501496C248C178E
                                    SHA1:AAE29F7EF62D5329C27C2040ED573D0DDC9A522E
                                    SHA-256:42638E51CD3EFF415CE751E700D233596988FD51FFBA584B18DD2E78EC07BC2B
                                    SHA-512:CBFEC11BA74137DF8A56D8C6CA74A04F3773D52C097AD78A5413733AD8DE540CE8F0BE54A9DCF2A708BBB56A0DAEA69F247BA7255485DE2406ED310B07D91E44
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 48%
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9.b..............P..\...^.......z... ........@.. ....................................@.................................@z..O.......h[........................................................................... ............... ..H............text....Z... ...\.................. ..`.rsrc...h[.......\...^..............@..@.reloc..............................@..B................tz......H........Q..,.......B...HE...4............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+..*.0...........~.....+..*".......*.0..&........(....r=..p~....o0...(1.....t$....+..*...0..&........(....rI..p~....o0...(1.....

                                    C:\Users\user\AppData\Roaming\vbmcdsb\logs.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                    File Type:ASCII text, with CRLF, CR line terminators
                                    Category:dropped
                                    Size (bytes):25
                                    Entropy (8bit):3.593269689515108
                                    Encrypted:false
                                    SSDEEP:3:M1XKe3n:0aS
                                    MD5:89B5667E995FBEB88EDDA0BAC2FD47C4
                                    SHA1:76FB3FE1E77B0F1A5C6014437515F1DB8EAAEC37
                                    SHA-256:EE321AE724EA998CADB15526D3573191C892653D28A8AA7DE43413AE2DCE5E79
                                    SHA-512:F542FC946C29FAECC5D660548B43B1F59C909955FDF162F150426DBB23FDD3CDEFED435254884DBCDACA82529249A7C2C07DC9DC8C5073156056F8A92B28A92F
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:...[ Program Manager ]...

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):6.9630413774878415
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:rZ3LaKxraF.exe
                                    File size:703488
                                    MD5:f8b7ccfaa25ad7547501496c248c178e
                                    SHA1:aae29f7ef62d5329c27c2040ed573d0ddc9a522e
                                    SHA256:42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b
                                    SHA512:cbfec11ba74137df8a56d8c6ca74a04f3773d52c097ad78a5413733ad8de540ce8f0be54a9dcf2a708bbb56a0daea69f247ba7255485de2406ed310b07d91e44
                                    SSDEEP:12288:2u82iNDXR0NSqCGCHw1jZIvNds4mcGrONHhbP7r9r/+ppppppppppppppppppppZ:E1rvqCGCQJZIvoYGoHhb1qH
                                    TLSH:33E48E80E586B664DE19D7745BFACC754533BD6AE838952C28DD3F37BBB7AA20011023
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9.b..............P..\...^.......z... ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:c4c4c4c8ccd4d0c4

                                    Static PE Info

                                    General

                                    Entrypoint:0x477a92
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x62DF39AA [Tue Jul 26 00:47:38 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x77a400x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x780000x35b68.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x75a980x75c00False0.814691563826964data7.651863680261729IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x780000x35b680x35c00False0.21262263808139534data4.520503418212817IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xae0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0x784600x668data
                                    RT_ICON0x78ac80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294965391, next used block 7403512
                                    RT_ICON0x78db00x1e8data
                                    RT_ICON0x78f980x128GLS_BINARY_LSB_FIRST
                                    RT_ICON0x790c00x35e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                    RT_ICON0x7c6a00xea8data
                                    RT_ICON0x7d5480x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                    RT_ICON0x7ddf00x6c8data
                                    RT_ICON0x7e4b80x568GLS_BINARY_LSB_FIRST
                                    RT_ICON0x7ea200x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                    RT_ICON0x8f2480x94a8data
                                    RT_ICON0x986f00x67e8data
                                    RT_ICON0x9eed80x5488data
                                    RT_ICON0xa43600x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 2130706432
                                    RT_ICON0xa85880x25a8data
                                    RT_ICON0xaab300x10a8data
                                    RT_ICON0xabbd80x988data
                                    RT_ICON0xac5600x468GLS_BINARY_LSB_FIRST
                                    RT_GROUP_ICON0xac9c80x102data
                                    RT_VERSION0xacacc0x354data
                                    RT_MANIFEST0xace200xd48XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    192.168.2.737.120.210.2194977433982841134 08/05/22-12:03:58.881678TCP2841134ETPRO TROJAN Win32/Remcos RAT Checkin 348497743398192.168.2.737.120.210.219

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Aug 5, 2022 12:02:43.141547918 CEST497743398192.168.2.737.120.210.219
                                    Aug 5, 2022 12:02:43.615458965 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:02:43.615602016 CEST497743398192.168.2.737.120.210.219
                                    Aug 5, 2022 12:02:43.616734028 CEST497743398192.168.2.737.120.210.219
                                    Aug 5, 2022 12:02:44.114769936 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:02:44.131412029 CEST497743398192.168.2.737.120.210.219
                                    Aug 5, 2022 12:02:44.652451038 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:02:58.748060942 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:02:58.758995056 CEST497743398192.168.2.737.120.210.219
                                    Aug 5, 2022 12:02:59.282506943 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:03:18.786052942 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:03:18.789299011 CEST497743398192.168.2.737.120.210.219
                                    Aug 5, 2022 12:03:19.304574966 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:03:38.821558952 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:03:38.824368954 CEST497743398192.168.2.737.120.210.219
                                    Aug 5, 2022 12:03:39.342868090 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:03:58.876553059 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:03:58.881678104 CEST497743398192.168.2.737.120.210.219
                                    Aug 5, 2022 12:03:59.401487112 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:04:18.985163927 CEST33984977437.120.210.219192.168.2.7
                                    Aug 5, 2022 12:04:18.986965895 CEST497743398192.168.2.737.120.210.219
                                    Aug 5, 2022 12:04:19.506959915 CEST33984977437.120.210.219192.168.2.7

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:12:02:56
                                    Start date:05/08/2022
                                    Path:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\rZ3LaKxraF.exe"
                                    Imagebase:0xf00000
                                    File size:703488 bytes
                                    MD5 hash:F8B7CCFAA25AD7547501496C248C178E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low

                                    General

                                    Target ID:3
                                    Start time:12:03:16
                                    Start date:05/08/2022
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp
                                    Imagebase:0xef0000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:5
                                    Start time:12:03:17
                                    Start date:05/08/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7bab80000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:6
                                    Start time:12:03:18
                                    Start date:05/08/2022
                                    Path:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                    Wow64 process (32bit):false
                                    Commandline:{path}
                                    Imagebase:0x290000
                                    File size:703488 bytes
                                    MD5 hash:F8B7CCFAA25AD7547501496C248C178E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low

                                    General

                                    Target ID:7
                                    Start time:12:03:19
                                    Start date:05/08/2022
                                    Path:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                    Wow64 process (32bit):true
                                    Commandline:{path}
                                    Imagebase:0x870000
                                    File size:703488 bytes
                                    MD5 hash:F8B7CCFAA25AD7547501496C248C178E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:17.2%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:97
                                      Total number of Limit Nodes:5
                                      execution_graph 9617 312a630 9618 312a671 ResumeThread 9617->9618 9619 312a69e 9618->9619 9624 312a478 9625 312a4c3 WriteProcessMemory 9624->9625 9627 312a514 9625->9627 9628 3129db8 9629 3129e37 CreateProcessW 9628->9629 9631 3129f20 9629->9631 9632 312a2b8 9633 312a2fb VirtualAllocEx 9632->9633 9634 312a332 9633->9634 9555 3206af0 9556 3206af1 9555->9556 9559 320583c 9556->9559 9558 3206b14 9560 3205847 9559->9560 9563 3205960 9560->9563 9562 3206be5 9562->9558 9564 320596b 9563->9564 9567 3205990 9564->9567 9566 3206cc2 9566->9562 9568 320599b 9567->9568 9571 32059c0 9568->9571 9570 3206dc2 9570->9566 9572 32059cb 9571->9572 9573 320751c 9572->9573 9575 320b780 9572->9575 9573->9570 9576 320b7a1 9575->9576 9577 320b7c5 9576->9577 9579 320ba38 9576->9579 9577->9573 9581 320ba45 9579->9581 9582 320ba7f 9581->9582 9583 3209a68 9581->9583 9582->9577 9584 3209a73 9583->9584 9586 320c778 9584->9586 9587 320c338 9584->9587 9586->9586 9588 320c343 9587->9588 9589 32059c0 2 API calls 9588->9589 9590 320c7e7 9589->9590 9594 320e558 9590->9594 9599 320e570 9590->9599 9591 320c820 9591->9586 9596 320e5a1 9594->9596 9597 320e5ee 9594->9597 9595 320e5ad 9595->9591 9596->9595 9604 320e8b8 9596->9604 9597->9591 9601 320e5a1 9599->9601 9602 320e5ee 9599->9602 9600 320e5ad 9600->9591 9601->9600 9603 320e8b8 2 API calls 9601->9603 9602->9591 9603->9602 9605 3209b50 LoadLibraryExW GetModuleHandleW 9604->9605 9606 320e8c1 9605->9606 9606->9597 9647 320bb50 9648 320bbb6 9647->9648 9651 320bd10 9648->9651 9654 3209af0 9651->9654 9655 320bd78 DuplicateHandle 9654->9655 9656 320bc65 9655->9656 9657 3209650 9660 3209b50 9657->9660 9658 320965f 9661 3209b63 9660->9661 9662 3209b7b 9661->9662 9667 3209dd8 9661->9667 9662->9658 9663 3209b73 9663->9662 9664 3209d78 GetModuleHandleW 9663->9664 9665 3209da5 9664->9665 9665->9658 9668 3209dec 9667->9668 9669 3209e11 9668->9669 9671 3209768 9668->9671 9669->9663 9672 3209fb8 LoadLibraryExW 9671->9672 9674 320a031 9672->9674 9674->9669 9675 312ace0 9676 312ae6b 9675->9676 9677 312ad06 9675->9677 9677->9676 9679 3122b40 9677->9679 9680 312af60 PostMessageW 9679->9680 9681 312afcc 9680->9681 9681->9677 9607 3120881 9611 31227b0 9607->9611 9614 31227b8 9607->9614 9608 3120892 9612 3122800 VirtualProtect 9611->9612 9613 312283a 9612->9613 9613->9608 9615 3122800 VirtualProtect 9614->9615 9616 312283a 9615->9616 9616->9608 9682 312a128 9684 312a170 SetThreadContext 9682->9684 9685 312a1ae 9684->9685 9686 312a1e8 9687 312a233 ReadProcessMemory 9686->9687 9688 312a276 9687->9688 9693 312072d 9695 31227b0 VirtualProtect 9693->9695 9696 31227b8 VirtualProtect 9693->9696 9694 312073e 9695->9694 9696->9694

                                      Executed Functions

                                      Function 03124088 Relevance: 2.7, Strings: 2, Instructions: 243COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 3124088-31240bd 1 31240c4-31240f6 0->1 2 31240bf 0->2 3 31240f9 1->3 2->1 4 3124100-312411c 3->4 5 3124125-3124126 4->5 6 312411e 4->6 11 31243bf-31243c8 5->11 6->3 6->5 7 31242f2-3124305 6->7 8 31241f0-3124207 6->8 9 312437a-3124383 6->9 10 3124258-3124261 6->10 6->11 12 312423c-3124253 6->12 13 3124363-3124375 6->13 14 312412b-3124156 6->14 15 3124388-312438c 6->15 16 31241ce-31241d2 6->16 17 312420c-3124212 6->17 23 3124307 7->23 24 312430c-3124313 7->24 8->4 9->4 19 3124263 10->19 20 3124268-3124279 10->20 12->4 13->4 39 3124158 14->39 40 312415d-3124163 14->40 21 312438e-312439d 15->21 22 312439f-31243a6 15->22 25 31241d4 16->25 26 31241d9-31241eb 16->26 18 3124228-3124237 17->18 18->4 19->20 28 3124280-312428c 20->28 29 312427b 20->29 30 31243ad-31243ba 21->30 22->30 23->24 31 3124315 24->31 32 312431a-312432a 24->32 25->26 26->4 33 3124293-312429f 28->33 34 312428e 28->34 29->28 30->4 31->32 57 312432d call 31244d8 32->57 58 312432d call 31244e8 32->58 35 31242a1 33->35 36 31242a6-31242cc 33->36 34->33 35->36 47 31242d3-31242d5 36->47 48 31242ce 36->48 39->40 43 3124165 40->43 44 312416a-3124186 40->44 41 3124333-312435e 41->4 43->44 45 3124188 44->45 46 312418d 44->46 45->46 54 3124197-31241ad 46->54 50 3124214-312421e 47->50 51 31242db-31242ed 47->51 48->47 52 3124220 50->52 53 3124225 50->53 51->4 52->53 53->18 55 31241b4-31241c9 54->55 56 31241af 54->56 55->4 56->55 57->41 58->41
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @<4$@<4
                                      • API String ID: 0-3003078165
                                      • Opcode ID: b5dddc2e67e32eacf111476fa318232f20a507f4fe08584e71a6e4b5dc7e545a
                                      • Instruction ID: 83dcb3cb546f723c58bcbee0dd78e59111adda50f5cc491e194d1946e1938593
                                      • Opcode Fuzzy Hash: b5dddc2e67e32eacf111476fa318232f20a507f4fe08584e71a6e4b5dc7e545a
                                      • Instruction Fuzzy Hash: 59A11570E042298FCB04CFAAD98059EFBF2BF9D300F14C16AD405AB218DB349952CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03122CB8 Relevance: .3, Instructions: 282COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 83b6b194697fc39d7221731495252376880322300e1f3cf452d787aa9fbed7d1
                                      • Instruction ID: 7357739677241d2c7a23a01d1733d91b798cbec7d333a12c6ceced963f75e8c4
                                      • Opcode Fuzzy Hash: 83b6b194697fc39d7221731495252376880322300e1f3cf452d787aa9fbed7d1
                                      • Instruction Fuzzy Hash: 81D17774A01315DFCB44DFA4D685AADBFF2FB8A304B14846AE4099B324DB349D42CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03122CC8 Relevance: .3, Instructions: 282COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f0a88bb1d9741d0b4244a215a8d3b1f0dbe7ac7ba5aac61fc30e392ea115ea2
                                      • Instruction ID: e28da6e5e3f68eee97cae3c10b5417080f6caee9202b318bd8cc2653b42ab6f7
                                      • Opcode Fuzzy Hash: 4f0a88bb1d9741d0b4244a215a8d3b1f0dbe7ac7ba5aac61fc30e392ea115ea2
                                      • Instruction Fuzzy Hash: 37D18774A01319DFCB44DFA4D685AADBFF2FB8A304B148469E4099B324DB749D42CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03127770 Relevance: .2, Instructions: 178COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4dc2b646724a91b64900e870f2482fe11e85ecf3470ff11c07a121ba5b3b6e03
                                      • Instruction ID: 0e1aca12839a871a8f98240e19f4b8ccb7928375029f26b04030a1ac8e4d59ab
                                      • Opcode Fuzzy Hash: 4dc2b646724a91b64900e870f2482fe11e85ecf3470ff11c07a121ba5b3b6e03
                                      • Instruction Fuzzy Hash: 9A71F474E102199FCB08DFE5D9946AEBBB2FF89310F20802AE815BB354DB345916CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03127780 Relevance: .2, Instructions: 174COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 90c81a8a8ca0b17f1bad472057f74dbcfc5b3eb7c8fbadd68df53e1f4c2d3f04
                                      • Instruction ID: 99992f129daa72b04ff73a19731a939fe2f3d55c65f15ee20d2ff4dc4ff2467e
                                      • Opcode Fuzzy Hash: 90c81a8a8ca0b17f1bad472057f74dbcfc5b3eb7c8fbadd68df53e1f4c2d3f04
                                      • Instruction Fuzzy Hash: 3271F574E102199FCB08DFE5D9546AEBBB2FF89310F20842AE815BB354DB345916CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03128428 Relevance: .2, Instructions: 152COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f20ef11859a52ade71d5152d97f5368092243e26035f92c98d4717e510e518ec
                                      • Instruction ID: a4bb35da0e60dab7dfa0655353d13703aa9641884aef0e1c528bfa04d5705f18
                                      • Opcode Fuzzy Hash: f20ef11859a52ade71d5152d97f5368092243e26035f92c98d4717e510e518ec
                                      • Instruction Fuzzy Hash: 6D5136B0D16228DFCB08CFE9E5846DDBFB6EB89300F18942AE405B7244D73489A18B14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03128418 Relevance: .1, Instructions: 148COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f06a7535f915a020698a78a01db0394bc699e5500a9477fcd7c1fc25965ecefe
                                      • Instruction ID: 7276ee5d461bd8587815ebdc42aef59325d31b94a198c912a34cea9279f4d235
                                      • Opcode Fuzzy Hash: f06a7535f915a020698a78a01db0394bc699e5500a9477fcd7c1fc25965ecefe
                                      • Instruction Fuzzy Hash: 035136B0D16258EFCB08CFE9E5846DDFBB2FB8D310F18942AE405B7244D77499A58B14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03127D57 Relevance: .1, Instructions: 123COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bdf3594324e2575ca90fa7d38b65fffc36689ca50c8fd2917523f32f3ecc38c5
                                      • Instruction ID: b027e3d24741a4e74cba15e0becdf7af045a10201fd4be944210d1db6a77afe7
                                      • Opcode Fuzzy Hash: bdf3594324e2575ca90fa7d38b65fffc36689ca50c8fd2917523f32f3ecc38c5
                                      • Instruction Fuzzy Hash: 98413770D16269EFCB08CFE9E5806DDBFB2FB4D310F29942AE415B7244D3349AA18B14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0312CA48 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a5ff3dd0d42e3eb71bfbe9d1b19f2214c1d27d2ad2bb84b2a6a0000e0103d2bd
                                      • Instruction ID: df957f2c05248100035aabf4754134256d13e32e788b6db53d3675b50f674e71
                                      • Opcode Fuzzy Hash: a5ff3dd0d42e3eb71bfbe9d1b19f2214c1d27d2ad2bb84b2a6a0000e0103d2bd
                                      • Instruction Fuzzy Hash: 04114870D042298BCB14CFA5C4097EEFEF1AB4E311F19A06AD112B3280D7748948DBA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03209B50 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 59 3209b50-3209b65 call 3208b0c 62 3209b67-3209b75 call 3209dd8 59->62 63 3209b7b-3209b7f 59->63 62->63 67 3209cb0-3209d2a 62->67 64 3209b81-3209b8b 63->64 65 3209b93-3209bd4 63->65 64->65 70 3209be1-3209bef 65->70 71 3209bd6-3209bde 65->71 107 3209d31-3209d70 67->107 108 3209d2c-3209d30 67->108 72 3209bf1-3209bf6 70->72 73 3209c13-3209c15 70->73 71->70 75 3209c01 72->75 76 3209bf8-3209bff call 3208b18 72->76 77 3209c18-3209c1f 73->77 80 3209c03-3209c11 75->80 76->80 81 3209c21-3209c29 77->81 82 3209c2c-3209c33 77->82 80->77 81->82 84 3209c40-3209c49 call 3208b28 82->84 85 3209c35-3209c3d 82->85 89 3209c56-3209c5b 84->89 90 3209c4b-3209c53 84->90 85->84 92 3209c79-3209c86 89->92 93 3209c5d-3209c64 89->93 90->89 100 3209c88-3209ca6 92->100 101 3209ca9-3209caf 92->101 93->92 94 3209c66-3209c76 call 320973c call 320974c 93->94 94->92 100->101 110 3209d72-3209d75 107->110 111 3209d78-3209da3 GetModuleHandleW 107->111 108->107 110->111 112 3209da5-3209dab 111->112 113 3209dac-3209dc0 111->113 112->113
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 03209D96
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.404095516.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3200000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 30fcd685e898c002b635bf56faed513f2c243113b034f4a691eb79568ee78a3e
                                      • Instruction ID: b5c82f4f19fb457232074c87f11713e91a387e5b1cfa52554366798c02950ba8
                                      • Opcode Fuzzy Hash: 30fcd685e898c002b635bf56faed513f2c243113b034f4a691eb79568ee78a3e
                                      • Instruction Fuzzy Hash: 77716770A10B068FDB24DF2AD04075ABBF5FF89214F04892DD44ADBAA1D775E889CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03129DB8 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 116 3129db8-3129e43 118 3129e45-3129e4b 116->118 119 3129e4e-3129e55 116->119 118->119 120 3129e60-3129e76 119->120 121 3129e57-3129e5d 119->121 122 3129e81-3129f1e CreateProcessW 120->122 123 3129e78-3129e7e 120->123 121->120 125 3129f20-3129f26 122->125 126 3129f27-3129f9b 122->126 123->122 125->126 134 3129fad-3129fb4 126->134 135 3129f9d-3129fa3 126->135 136 3129fb6-3129fc5 134->136 137 3129fcb 134->137 135->134 136->137
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 03129F0B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: a6f933fee7eaa7d0524731c8f75ac60547116633179090656663c9b78ca67e5a
                                      • Instruction ID: bb2a0ec7793f8c019a429b229b69cc8654f3d90e65430fef57176dcb3b5dd66e
                                      • Opcode Fuzzy Hash: a6f933fee7eaa7d0524731c8f75ac60547116633179090656663c9b78ca67e5a
                                      • Instruction Fuzzy Hash: FD51E671D00329DFDB64CF99C880BDEBBB6BF48314F158099E808A7650DB719A99CF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0312A478 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 139 312a478-312a4c9 141 312a4cb-312a4d7 139->141 142 312a4d9-312a512 WriteProcessMemory 139->142 141->142 143 312a514-312a51a 142->143 144 312a51b-312a53c 142->144 143->144
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0312A505
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 5e99d89fdcd4c3a713207090e16f1b74ca24c7929dd5d0150b89635b909e61a2
                                      • Instruction ID: 07ba66b38f46816ee4501d88f0023250ca82e71feb1f73fb914bd68a81699c2b
                                      • Opcode Fuzzy Hash: 5e99d89fdcd4c3a713207090e16f1b74ca24c7929dd5d0150b89635b909e61a2
                                      • Instruction Fuzzy Hash: C621E4B1900259DFCB10CFAAD885BDEBBF4FF48314F14842AE918A7750D778A954CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03209AF0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 146 3209af0-320be0c DuplicateHandle 148 320be15-320be32 146->148 149 320be0e-320be14 146->149 149->148
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0320BD3E,?,?,?,?,?), ref: 0320BDFF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.404095516.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3200000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: fb7096986e57d61e80dc5f564d29bcc9710abb42d7344e63288dc61e26b4b2b6
                                      • Instruction ID: f0c1e8a5f3a37ceb2448d5647b30ae54d6f8a5b41bbcaa0e432effded707180e
                                      • Opcode Fuzzy Hash: fb7096986e57d61e80dc5f564d29bcc9710abb42d7344e63288dc61e26b4b2b6
                                      • Instruction Fuzzy Hash: 152105B5900209AFCB10CFA9D484AEEBBF4EB48324F14801AE914B7351D374A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0312A1E8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 152 312a1e8-312a274 ReadProcessMemory 154 312a276-312a27c 152->154 155 312a27d-312a29e 152->155 154->155
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0312A267
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: dac8a93d2691eae3d93274bc5f3e75cb9e7d58961a9cdd5cc07b84a51a5306d5
                                      • Instruction ID: 51805e25e66bba6f65b405121fe6f8f2b4d0582ded2caba8837e3e20f83a644a
                                      • Opcode Fuzzy Hash: dac8a93d2691eae3d93274bc5f3e75cb9e7d58961a9cdd5cc07b84a51a5306d5
                                      • Instruction Fuzzy Hash: 7C21F0B19002599FCB10CF9AD884BDEBBF4FF48320F10842AE918A7650D779A554CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0312A128 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 157 312a128-312a174 159 312a180-312a1ac SetThreadContext 157->159 160 312a176-312a17e 157->160 161 312a1b5-312a1d6 159->161 162 312a1ae-312a1b4 159->162 160->159 162->161
                                      APIs
                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 0312A19F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: ContextThread
                                      • String ID:
                                      • API String ID: 1591575202-0
                                      • Opcode ID: 3c382712e76036e5b2ddc5fd7bbd1ababe7c76744bbe3736290167cb2b7e71c9
                                      • Instruction ID: 0f6358e587da447719836aa06d6a5fa39c9a1ed732668e4884430601e3f604dd
                                      • Opcode Fuzzy Hash: 3c382712e76036e5b2ddc5fd7bbd1ababe7c76744bbe3736290167cb2b7e71c9
                                      • Instruction Fuzzy Hash: 732106B1D0021A9FDB00CF9AC885BEEFBF4BF48224F14812AD418B7740D778A9558FA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031227B0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 164 31227b0-3122838 VirtualProtect 166 3122841-3122862 164->166 167 312283a-3122840 164->167 167->166
                                      APIs
                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0312282B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 5e0f5c158e91b1f9eee851c288e7c606c6dcaaf9a53780bf1c8b05f29a8c9240
                                      • Instruction ID: e81b7a37d9354661f701549d0068df29e673c433fae7d0ef1c12518739026dca
                                      • Opcode Fuzzy Hash: 5e0f5c158e91b1f9eee851c288e7c606c6dcaaf9a53780bf1c8b05f29a8c9240
                                      • Instruction Fuzzy Hash: 4721F4B59002499FDB10CF9AD584BDEBBF4EB48324F14842AE868A7650D378A645CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031227B8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 169 31227b8-3122838 VirtualProtect 171 3122841-3122862 169->171 172 312283a-3122840 169->172 172->171
                                      APIs
                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0312282B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: b0a3f4216d6710fb68ac6b1088f43a0af07f9985ecc4ac1b6833678ff8f143f4
                                      • Instruction ID: 37728d0249a274307970687d94e9188b114fcecb1645e8fb20a08d20d85955a8
                                      • Opcode Fuzzy Hash: b0a3f4216d6710fb68ac6b1088f43a0af07f9985ecc4ac1b6833678ff8f143f4
                                      • Instruction Fuzzy Hash: 9A21E4B5D002499FCB10CF9AD884BDEFBF4FB48324F14842AE868A7650D778A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03209768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 174 3209768-3209ff8 176 320a000-320a02f LoadLibraryExW 174->176 177 3209ffa-3209ffd 174->177 178 320a031-320a037 176->178 179 320a038-320a055 176->179 177->176 178->179
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03209E11,00000800,00000000,00000000), ref: 0320A022
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.404095516.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3200000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: eb23548d294444c0451e096802b471065e81fce6b781ccce89910583c64f4256
                                      • Instruction ID: b76af6cdb243cf4b34dca7a3c7fa6c0e23eec3dbc1d878a6c5a0462ae3389e4f
                                      • Opcode Fuzzy Hash: eb23548d294444c0451e096802b471065e81fce6b781ccce89910583c64f4256
                                      • Instruction Fuzzy Hash: B71103B69003099FCB10CF9AD444BDEFBF4AB58324F14842EE415A7640C379A949CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0312A2B8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 182 312a2b8-312a330 VirtualAllocEx 184 312a332-312a338 182->184 185 312a339-312a34d 182->185 184->185
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0312A323
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: aa2405dedf29ee40f35bda58d46a95afc2815cf76e6a842c3407c44ddb37ae72
                                      • Instruction ID: b71548f8dddf190958e384a3a94b38d8fd1e92c812649154e5d9a0438262ab33
                                      • Opcode Fuzzy Hash: aa2405dedf29ee40f35bda58d46a95afc2815cf76e6a842c3407c44ddb37ae72
                                      • Instruction Fuzzy Hash: 8111E0B6900249DFCB10CF9AD884BDEBFF4EF48324F148419E928A7610C775A954CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03122B40 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 187 3122b40-312afca PostMessageW 189 312afd3-312afe7 187->189 190 312afcc-312afd2 187->190 190->189
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0312AFBD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: f7e18e46b585b418b41ec9f74c9b2fb127b49121fb5217831ea2a9cda3432523
                                      • Instruction ID: c696cb747b5d74c44285d4d429351e71ac72a53e789b24c491bdfbf66abff374
                                      • Opcode Fuzzy Hash: f7e18e46b585b418b41ec9f74c9b2fb127b49121fb5217831ea2a9cda3432523
                                      • Instruction Fuzzy Hash: D711E3B59003599FDB10CF99D885BDEBBF8EF48324F108419E514A7600D779A954CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03209D30 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 192 3209d30-3209d70 194 3209d72-3209d75 192->194 195 3209d78-3209da3 GetModuleHandleW 192->195 194->195 196 3209da5-3209dab 195->196 197 3209dac-3209dc0 195->197 196->197
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 03209D96
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.404095516.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3200000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: b0bd58660ef3610233a3a26e3485eb5b3000e20c189f670bab09b2bdac0a6947
                                      • Instruction ID: e517953ddae5a54de34de322f017adbf8cba1a24098a1affa4e6e573568fac38
                                      • Opcode Fuzzy Hash: b0bd58660ef3610233a3a26e3485eb5b3000e20c189f670bab09b2bdac0a6947
                                      • Instruction Fuzzy Hash: 8B1110B6C002098FCB10DF9AD444BDEFBF4AF88224F14841AD429B7611C379A589CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0312A630 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 199 312a630-312a69c ResumeThread 201 312a6a5-312a6b9 199->201 202 312a69e-312a6a4 199->202 202->201
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 68beb944afc7c5086d9e2ae1a5406650fb56be96c754720978c853da333ffb28
                                      • Instruction ID: 107b9b8baadeaf4ec02baad90b87fedb94b55dafd32a9ca6647f2771387ca9c3
                                      • Opcode Fuzzy Hash: 68beb944afc7c5086d9e2ae1a5406650fb56be96c754720978c853da333ffb28
                                      • Instruction Fuzzy Hash: B41100B18002498FCB10CF9AD884BDEBBF4EB48324F20841AD428A7600C775A944CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0157D1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403226983.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_157d000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0e4bc53b647221cc2fb03b609c4110092b3e6cf681107c6459c9644d8523f223
                                      • Instruction ID: fada95e02d0fefb13cf136d7a387117649aae7552431f8c63804ae7b2b2ef9b5
                                      • Opcode Fuzzy Hash: 0e4bc53b647221cc2fb03b609c4110092b3e6cf681107c6459c9644d8523f223
                                      • Instruction Fuzzy Hash: B521D371504240AFDB01DF94E5C1B2ABBB5FF84324F24C9ADD9094F646C336D847CA61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0157D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403226983.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_157d000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 581c6a3911f1c2aac347b215bda6a4dac2332962b0dfa113cb3fddc1e3939ec5
                                      • Instruction ID: 8e17426f673cffa31e2ea6c85dcc28b2c7b5d631b4ced40dda2fba37805bac2d
                                      • Opcode Fuzzy Hash: 581c6a3911f1c2aac347b215bda6a4dac2332962b0dfa113cb3fddc1e3939ec5
                                      • Instruction Fuzzy Hash: C421FF755042409FDB12CF54E9C0B2ABBB5FB84354F24C969D8094F246D33AD84BCAA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0157D006 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403226983.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_157d000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31585e72a49d205b083020f52e6f5fbd716a98c7e2b8297de49e37cecc925c2d
                                      • Instruction ID: 88fcf380ad7b04fc01f2dfbdb163ce6675d143f2ea8adc195f19d160bd53cb1b
                                      • Opcode Fuzzy Hash: 31585e72a49d205b083020f52e6f5fbd716a98c7e2b8297de49e37cecc925c2d
                                      • Instruction Fuzzy Hash: 522168755093808FDB03CF24D990B15BF71AF46214F28C5EAD8498F6A7C33A980ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0157D1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403226983.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_157d000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b941aa979706ea48af2a73ab849f59d8158d4a6ac0082b33dc2f844f1e5b99c0
                                      • Instruction ID: d167b23a0aaa6f480793bfb908587c0389b78d1b2a853552b5172ebd73d818a1
                                      • Opcode Fuzzy Hash: b941aa979706ea48af2a73ab849f59d8158d4a6ac0082b33dc2f844f1e5b99c0
                                      • Instruction Fuzzy Hash: 02118B75904280DFDB12CF54D5C4B19BFB1FF84224F28C6A9D8494B656C33AD45ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 03128128 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: YzZ`
                                      • API String ID: 0-3284248116
                                      • Opcode ID: 8f20cb6a6a21cc45dbc89f5e0f27d89ff105ef831a488c83017252e63a7ed7b1
                                      • Instruction ID: 6d512bdf78f2fc80efe1f5a48d15f318fbe238a853f336a408289ba5d46eebaa
                                      • Opcode Fuzzy Hash: 8f20cb6a6a21cc45dbc89f5e0f27d89ff105ef831a488c83017252e63a7ed7b1
                                      • Instruction Fuzzy Hash: CD7106B4E1521A8F8B08DFE6D5415AEFFF2FF89300F10942AD416BB258D7349A528F94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03128119 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: YzZ`
                                      • API String ID: 0-3284248116
                                      • Opcode ID: 6f1b01764fcd0bb3604a22923a784afb605235069a4a575e1df0786b6139dc58
                                      • Instruction ID: ab9524fc340a82aae5b7192d7f5fde6056db3eb1fcf46af6022e54574d91f048
                                      • Opcode Fuzzy Hash: 6f1b01764fcd0bb3604a22923a784afb605235069a4a575e1df0786b6139dc58
                                      • Instruction Fuzzy Hash: A471E5B4E1521A8FCB08DFA5D5815AEFFF2FF89300F10942AD416AB258D7349A528F94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031286A0 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: nf[S
                                      • API String ID: 0-499805295
                                      • Opcode ID: e1914ba2d4c3d1f05197e0c99c0df70bed2650d7556dfe8a24efdc1e27752bb3
                                      • Instruction ID: 905c1a07eeec5d39615739e3f9834383728b3ba453099fcdf0f90645bfe60569
                                      • Opcode Fuzzy Hash: e1914ba2d4c3d1f05197e0c99c0df70bed2650d7556dfe8a24efdc1e27752bb3
                                      • Instruction Fuzzy Hash: BD510E71E0462A8BDB68CF66C9407AAFBB6AFC9300F1491F6D50DA7614EB305AD18F50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03128690 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: nf[S
                                      • API String ID: 0-499805295
                                      • Opcode ID: 89795389ca2424e327b61c134d7f7f26260fdd408269476a5d3b0ff7b9077a0c
                                      • Instruction ID: 08ed8b5cb9255336441c824615c8e55da1d70c6b4919ee7b67b7358a9a66b065
                                      • Opcode Fuzzy Hash: 89795389ca2424e327b61c134d7f7f26260fdd408269476a5d3b0ff7b9077a0c
                                      • Instruction Fuzzy Hash: 6F510D75E0062A8BDB68CF66C944799FBF2BFC8300F1482BAD409A7614EB705AD58F40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031237A0 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ~vL?
                                      • API String ID: 0-275919205
                                      • Opcode ID: 2620e4e511196ae418e4c3cfaa8c8008422122095598a838e6c1f35e0ea054c6
                                      • Instruction ID: bdc9e82d63c91122f9b2443a5fbac107d016ab1467493f19592ec58da80b4189
                                      • Opcode Fuzzy Hash: 2620e4e511196ae418e4c3cfaa8c8008422122095598a838e6c1f35e0ea054c6
                                      • Instruction Fuzzy Hash: A2115971E116199BDB18CFAAD9406EEFBF7FBC8210F14C03AD418B7214EB341A058B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031257B0 Relevance: .4, Instructions: 368COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f676bb27f687531f47291072f6eae14f085439e42e8daac0cd7405f05a6ed861
                                      • Instruction ID: 14a58ce364a1ad0c874fa526667956aaf197511ceb3378e9302de71d1a6de112
                                      • Opcode Fuzzy Hash: f676bb27f687531f47291072f6eae14f085439e42e8daac0cd7405f05a6ed861
                                      • Instruction Fuzzy Hash: A5E15A34F0011A9FDB14DFA8C990ABEBBB7EF8D314F208068D805AB754DB3A9D558B51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03124530 Relevance: .3, Instructions: 334COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dbda22d42cfdc9ef8a91a140e8dba1db990fdb8d6182a2bab4636fdcfb0c4d28
                                      • Instruction ID: c9b5d5f866c752df4d632eacf4f86a9a914347a6552f195ea1961d3f2ba9cf51
                                      • Opcode Fuzzy Hash: dbda22d42cfdc9ef8a91a140e8dba1db990fdb8d6182a2bab4636fdcfb0c4d28
                                      • Instruction Fuzzy Hash: C6C1BE70E0422A8FCB08CFFAC4506AEBFF2EF89214F158469D415AB354DF7499528BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0320E900 Relevance: .3, Instructions: 315COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.404095516.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3200000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 948cfa8951654986d6cd520acdb6baeca5cf90fa01628ffb04ea71d38313792f
                                      • Instruction ID: 9bcb3718fa66d3419d85dd459f2ea3dc0bd4d8fde5176f91da6e315c07eedadd
                                      • Opcode Fuzzy Hash: 948cfa8951654986d6cd520acdb6baeca5cf90fa01628ffb04ea71d38313792f
                                      • Instruction Fuzzy Hash: B512EBF14117468BD318EFA4E5881893BB3F78A32CF505208D2611FAD9D7BA91CACF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0320C5F4 Relevance: .3, Instructions: 265COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.404095516.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3200000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 152fb4e3bedceb8a437a958d7ed7b74e29ae1b721e35e4f9fa43adafe5ba98c2
                                      • Instruction ID: 49bb301aae67a889ce1fd7bff85b212f6a64e1e655c242013c63efdc0fc32411
                                      • Opcode Fuzzy Hash: 152fb4e3bedceb8a437a958d7ed7b74e29ae1b721e35e4f9fa43adafe5ba98c2
                                      • Instruction Fuzzy Hash: 60A17E76E1021ACFCF15DFA5C8445DDBBB2FF88300B15816AE815AF261DB71A989CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03126FF0 Relevance: .2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ca41f74c512f1a3f471bd89ca9952fe15e779d012e36162e93281df8e16cecdf
                                      • Instruction ID: 0dff88611d8fd3f6ea69ea810be0c5b08806dc741dbc1146a62251cc526d0c2c
                                      • Opcode Fuzzy Hash: ca41f74c512f1a3f471bd89ca9952fe15e779d012e36162e93281df8e16cecdf
                                      • Instruction Fuzzy Hash: 76612970E052299FDB18CFA9D9809AEFBB2FF89304F24D169D409A7355D7309941CF61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03123168 Relevance: .2, Instructions: 161COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37c5f4ea2d79155ca8220d785a3a458688afbae5d93d372b7fe7b029ed79085a
                                      • Instruction ID: a0510b3835ba0e5652175de3e6b2f10d907bf916848afacd1bd9886edcffa2f4
                                      • Opcode Fuzzy Hash: 37c5f4ea2d79155ca8220d785a3a458688afbae5d93d372b7fe7b029ed79085a
                                      • Instruction Fuzzy Hash: 15612D74E112298FCB18CFA9D980B9EFBB2FF88300F1584A9D519A7354DB349A51CF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03126FE0 Relevance: .2, Instructions: 154COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3c963e7d0f562bfb690e9a366e361688eb88d5e644ec4b4cbceaaa5db0876e12
                                      • Instruction ID: 0083f5441a9fe3d43c82ed857e8f2e5f6371c8ba2888c30ccf5fb017883161bf
                                      • Opcode Fuzzy Hash: 3c963e7d0f562bfb690e9a366e361688eb88d5e644ec4b4cbceaaa5db0876e12
                                      • Instruction Fuzzy Hash: 5C613B70E152298FDB18CFA9D980AAEFBF2BF89304F24D169D409A7355D7309941CF61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03120040 Relevance: .1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9e30d5911a09ec82ed0bb4e666eb3b0d368d952fe010cd9a6e1659a5799198e8
                                      • Instruction ID: 3749fee3fb8f76fc30c750bf47ee589cc9850e382238f50509440a017ec552d5
                                      • Opcode Fuzzy Hash: 9e30d5911a09ec82ed0bb4e666eb3b0d368d952fe010cd9a6e1659a5799198e8
                                      • Instruction Fuzzy Hash: FA414E71E116198BEB58DF6B9D4479EFAF3BFC9300F14C1BA850CA6214DB3009968E55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0312003A Relevance: .1, Instructions: 95COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403849932.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3120000_rZ3LaKxraF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d702ad65b9687fbef646fc5f4dc995113b016385cccaf73bcdcb3ee0e2bf16a3
                                      • Instruction ID: 7cfd53c5353186497e10231b6b3005d14910c3bfbf9128d15313c23e7c127f98
                                      • Opcode Fuzzy Hash: d702ad65b9687fbef646fc5f4dc995113b016385cccaf73bcdcb3ee0e2bf16a3
                                      • Instruction Fuzzy Hash: 12412BB1E116198BEB58DF6BDD4579AFAF3BFC9200F14C1BA950CA6224EB3009858F15
                                      Uniqueness

                                      Uniqueness Score: -1.00%