Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
arinzezx.exe

Overview

General Information

Sample Name:arinzezx.exe
Analysis ID:694556
MD5:314c678d85f7927a42f34797627532e1
SHA1:1a1695ee1411cc14754cc92e14a6243ee7af81d1
SHA256:e5b9cc21b8de77e68e03e202609511b8b57d1ea278d6cd0fe0b7fb454f1d7432
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • arinzezx.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\arinzezx.exe" MD5: 314C678D85F7927A42F34797627532E1)
    • arinzezx.exe (PID: 6964 cmdline: C:\Users\user\Desktop\arinzezx.exe MD5: 314C678D85F7927A42F34797627532E1)
    • arinzezx.exe (PID: 6976 cmdline: C:\Users\user\Desktop\arinzezx.exe MD5: 314C678D85F7927A42F34797627532E1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "arinzelog@steuler-kch.org", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x300ad:$a13: get_DnsResolver
      • 0x2e8c7:$a20: get_LastAccessed
      • 0x30a2b:$a27: set_InternalServerPort
      • 0x30d47:$a30: set_GuidMasterKey
      • 0x2e9ce:$a33: get_Clipboard
      • 0x2e9dc:$a34: get_Keyboard
      • 0x2fce0:$a35: get_ShiftKeyDown
      • 0x2fcf1:$a36: get_AltKeyDown
      • 0x2e9e9:$a37: get_Password
      • 0x2f490:$a38: get_PasswordHash
      • 0x304ad:$a39: get_DefaultCredentials
      00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.0.arinzezx.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            4.0.arinzezx.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              4.0.arinzezx.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x32b5f:$s10: logins
              • 0x325c6:$s11: credential
              • 0x2ebce:$g1: get_Clipboard
              • 0x2ebdc:$g2: get_Keyboard
              • 0x2ebe9:$g3: get_Password
              • 0x2fed0:$g4: get_CtrlKeyDown
              • 0x2fee0:$g5: get_ShiftKeyDown
              • 0x2fef1:$g6: get_AltKeyDown
              4.0.arinzezx.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x302ad:$a13: get_DnsResolver
              • 0x2eac7:$a20: get_LastAccessed
              • 0x30c2b:$a27: set_InternalServerPort
              • 0x30f47:$a30: set_GuidMasterKey
              • 0x2ebce:$a33: get_Clipboard
              • 0x2ebdc:$a34: get_Keyboard
              • 0x2fee0:$a35: get_ShiftKeyDown
              • 0x2fef1:$a36: get_AltKeyDown
              • 0x2ebe9:$a37: get_Password
              • 0x2f690:$a38: get_PasswordHash
              • 0x306ad:$a39: get_DefaultCredentials
              1.2.arinzezx.exe.4787e30.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 19 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Machine Learning detection for sample
                Source: arinzezx.exeJoe Sandbox ML: detected
                Source: 4.0.arinzezx.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 1.2.arinzezx.exe.47f2870.9.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "arinzelog@steuler-kch.org", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua"}
                Source: arinzezx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.19.184.120:443 -> 192.168.2.5:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.5:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 216.58.215.238:443 -> 192.168.2.5:49718 version: TLS 1.2
                Source: arinzezx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Joe Sandbox ViewIP Address: 104.19.184.120 104.19.184.120
                Source: Joe Sandbox ViewIP Address: 153.92.0.100 153.92.0.100
                Source: global trafficHTTP traffic detected: GET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.google.comCookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg
                Source: global trafficHTTP traffic detected: GET /migrate?static=true HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.000webhost.com
                Source: global trafficHTTP traffic detected: GET /ml?continue=https://www.google.com/maps?saddr%3D31.2087496,29.9091634&gl=GB&m=0&pc=m&uxe=eomtm&hl=de&src=1 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: consent.google.comCookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg; __Secure-ENID=6.SE=bAHSQtLrQMWxy_tqz0WaDaeFL1W5VOmOKkO5mBuNXISIweN8ghtdM05hF-gECfwTJ28xI6MWi6sNJZJsO8QjQObRoGTdPzM-68Gkxop6bVdx8jKoV8MxbLdPgIHJvYSyjREMuxUbqTR9T7NbGnUtXMHWrPSNiDAhrFDcYhFn5sM; CONSENT=PENDING+026
                Source: global trafficHTTP traffic detected: GET /?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maps.google.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /livestream/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: can-sat.netai.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maps.google.comConnection: Keep-Alive
                Source: global trafficTCP traffic: 192.168.2.5:49725 -> 91.235.128.141:587
                Source: global trafficTCP traffic: 192.168.2.5:49725 -> 91.235.128.141:587
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 31 Aug 2022 21:48:10 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 7438f8070c269b76-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                Source: arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://YthClZ.com
                Source: arinzezx.exe, 00000001.00000002.368306823.0000000000B74000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.n
                Source: arinzezx.exe, 00000001.00000002.368986456.0000000000E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/5
                Source: arinzezx.exe, 00000001.00000002.368306823.0000000000B74000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/
                Source: arinzezx.exe, 00000001.00000002.368986456.0000000000E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/46
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/5
                Source: arinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/CgC
                Source: arinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/Hx
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/e
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/ions.AddInAdapter.v10.0
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/ll
                Source: arinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/r
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/tldi
                Source: arinzezx.exe, 00000001.00000002.391809381.000000000AFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/y
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cp5ua.hyperhost.ua
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: arinzezx.exe, 00000001.00000003.328011792.0000000008042000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.328069691.0000000008044000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.327966259.0000000008040000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wD
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/
                Source: arinzezx.exe, 00000001.00000002.371377972.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/?saddr=31.2087496
                Source: arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?saddr=31.2087496
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: arinzezx.exe, 00000001.00000003.329249971.0000000008034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: arinzezx.exe, 00000001.00000003.329249971.0000000008034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlu
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: arinzezx.exe, 00000001.00000003.331818514.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331395636.0000000008070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers2~
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: arinzezx.exe, 00000001.00000003.331202082.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331229601.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331180508.0000000008070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersAny
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: arinzezx.exe, 00000001.00000003.330821049.0000000008070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerse~
                Source: arinzezx.exe, 00000001.00000003.324250155.000000000804B000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: arinzezx.exe, 00000001.00000003.324211844.000000000804B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comcD
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: arinzezx.exe, 00000001.00000003.329765672.0000000008041000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: arinzezx.exe, 00000001.00000003.324693815.000000000804B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comY
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: arinzezx.exe, 00000004.00000002.590311251.000000000376C000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000004.00000002.589851489.0000000003704000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://DtM6GM1g5LTlJoVP.org
                Source: arinzezx.exe, 00000001.00000002.396430673.000000000B03C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://consent.google.com/
                Source: arinzezx.exe, 00000001.00000002.396163809.000000000B009000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://consent.google.com/ml?continue=https://www.google.com/maps?saddr%3D31.2087496
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.397304814.000000000BAD9000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.362398365.000000000BAD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/ConsentHttp/external
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: arinzezx.exe, 00000001.00000002.396226962.000000000B014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/
                Source: arinzezx.exe, 00000001.00000002.396226962.000000000B014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/X
                Source: arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.391809381.000000000AFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/migrate?static=true
                Source: arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/migrate?static=truec
                Source: arinzezx.exe, 00000001.00000002.391809381.000000000AFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/migrate?static=truekM
                Source: arinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/migrate?static=truesl
                Source: arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                Source: arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/_
                Source: arinzezx.exe, 00000001.00000002.391736808.000000000AFA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/maps?saddr%3D31.2087496
                Source: arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/maps?saddr=31.2087496
                Source: arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: maps.google.com
                Source: global trafficHTTP traffic detected: GET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.google.comCookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg
                Source: global trafficHTTP traffic detected: GET /migrate?static=true HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.000webhost.com
                Source: global trafficHTTP traffic detected: GET /ml?continue=https://www.google.com/maps?saddr%3D31.2087496,29.9091634&gl=GB&m=0&pc=m&uxe=eomtm&hl=de&src=1 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: consent.google.comCookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg; __Secure-ENID=6.SE=bAHSQtLrQMWxy_tqz0WaDaeFL1W5VOmOKkO5mBuNXISIweN8ghtdM05hF-gECfwTJ28xI6MWi6sNJZJsO8QjQObRoGTdPzM-68Gkxop6bVdx8jKoV8MxbLdPgIHJvYSyjREMuxUbqTR9T7NbGnUtXMHWrPSNiDAhrFDcYhFn5sM; CONSENT=PENDING+026
                Source: global trafficHTTP traffic detected: GET /?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maps.google.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /livestream/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: can-sat.netai.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maps.google.comConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.19.184.120:443 -> 192.168.2.5:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.5:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 216.58.215.238:443 -> 192.168.2.5:49718 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\arinzezx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\arinzezx.exeJump to behavior
                Source: arinzezx.exe, 00000001.00000002.368803858.0000000000E5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\arinzezx.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: arinzezx.exe PID: 6600, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: arinzezx.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: arinzezx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: arinzezx.exe PID: 6600, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: arinzezx.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010523001_2_01052300
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010510081_2_01051008
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010518A81_2_010518A8
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_0105C3901_2_0105C390
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010522F21_2_010522F2
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010504701_2_01050470
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010504801_2_01050480
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01054C301_2_01054C30
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01054C401_2_01054C40
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01050F581_2_01050F58
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010553581_2_01055358
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010553681_2_01055368
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010555081_2_01055508
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010554F91_2_010554F9
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010518981_2_01051898
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 4_2_0193F0804_2_0193F080
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 4_2_019361204_2_01936120
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 4_2_0193F3C84_2_0193F3C8
                Source: arinzezx.exe, 00000001.00000002.377336443.0000000004375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.397370514.000000000BCA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.372126148.0000000002C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.372126148.0000000002C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMvPjRuRlDFKfQwhEStKRmBHzGSPHPolYc.exe4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMvPjRuRlDFKfQwhEStKRmBHzGSPHPolYc.exe4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000000.318667421.00000000007E6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNoyn.exe6 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.397602264.000000000BCD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.371377972.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.371377972.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.371377972.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: k,\\StringFileInfo\\000004B0\\OriginalFilename vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.397992784.000000000BFD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.368803858.0000000000E5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs arinzezx.exe
                Source: arinzezx.exe, 00000004.00000002.585115297.00000000014F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs arinzezx.exe
                Source: arinzezx.exe, 00000004.00000000.365778134.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMvPjRuRlDFKfQwhEStKRmBHzGSPHPolYc.exe4 vs arinzezx.exe
                Source: arinzezx.exeBinary or memory string: OriginalFilenameNoyn.exe6 vs arinzezx.exe
                Source: arinzezx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\arinzezx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\arinzezx.exe "C:\Users\user\Desktop\arinzezx.exe"
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exe
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exe
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exeJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exeJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\arinzezx.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FMJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/2@6/7
                Source: arinzezx.exe, 00000004.00000002.589836319.00000000036FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: arinzezx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\arinzezx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: arinzezx.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: C:\Users\user\Desktop\arinzezx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: arinzezx.exeStatic file information: File size 1527808 > 1048576
                Source: arinzezx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: arinzezx.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x172400
                Source: arinzezx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: initial sampleStatic PE information: section name: .text entropy: 7.276869829356131
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6600, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAMETSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONS
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\arinzezx.exe TID: 6604Thread sleep time: -45877s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exe TID: 6628Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exe TID: 7100Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exe TID: 7104Thread sleep count: 9765 > 30Jump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeWindow / User API: threadDelayed 9765Jump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeThread delayed: delay time: 45877Jump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II6VirtualBox Graphics Adapter
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE6HARDWARE\Description\System"SystemBiosVersion
                Source: arinzezx.exe, 00000001.00000003.343464188.000000000B00D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: arinzezx.exe, 00000001.00000002.397992784.000000000BFD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: W7fmmApVmCIQcR3DJ29
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUNSYSTEM\ControlSet001\Services\Disk\Enum
                Source: arinzezx.exe, 00000001.00000002.370023698.0000000000F43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWi.net
                Source: C:\Users\user\Desktop\arinzezx.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\arinzezx.exeMemory written: C:\Users\user\Desktop\arinzezx.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exeJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exeJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Users\user\Desktop\arinzezx.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Users\user\Desktop\arinzezx.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6600, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6976, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\arinzezx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: Yara matchFile source: 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6976, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6600, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6976, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception111
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium11
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		111
                Input Capture                		1
                Process Discovery                		Remote Desktop Protocol111
                Input Capture                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		1
                Credentials in Registry                		131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Archive Collected Data                		Automated Exfiltration3
                Ingress Tool Transfer                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model2
                Data from Local System                		Scheduled Transfer3
                Non-Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets1
                Remote System Discovery                		SSH1
                Clipboard Data                		Data Transfer Size Limits24
                Application Layer Protocol                		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Software Packing                		Cached Domain Credentials114
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                arinzezx.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                4.0.arinzezx.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://en.wD0%Avira URL Cloudsafe
                http://www.fonts.comcD0%Avira URL Cloudsafe
                http://can-sat.netai.net/livestream/r0%Avira URL Cloudsafe
                https://csp.withgoogle.com/csp/report-to/ConsentHttp/external0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                https://DtM6GM1g5LTlJoVP.org0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://YthClZ.com0%Avira URL Cloudsafe
                http://can-sat.netai.net/y0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://can-sat.netai.net/livestream/Hx0%Avira URL Cloudsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://can-sat.netai.net/livestream/0%Avira URL Cloudsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://can-sat.netai.net/livestream/CgC0%Avira URL Cloudsafe
                http://can-sat.netai.n0%Avira URL Cloudsafe
                http://can-sat.netai.net/livestream/50%Avira URL Cloudsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://can-sat.netai.net/livestream/ions.AddInAdapter.v10.00%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://can-sat.netai.net/livestream/tldi0%Avira URL Cloudsafe
                http://can-sat.netai.net/50%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.htmlu0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.tiro.comY0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://can-sat.netai.net/livestream/460%Avira URL Cloudsafe
                http://can-sat.netai.net/livestream/e0%Avira URL Cloudsafe
                http://can-sat.netai.net/livestream/ll0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                can-sat.netai.net
                		153.92.0.100
                		truefalse
                  		unknown
                  www.000webhost.com
                  		104.19.184.120
                  		truefalse
                    		high
                    cp5ua.hyperhost.ua
                    		91.235.128.141
                    		truefalse
                      		high
                      consent.google.com
                      		216.58.215.238
                      		truefalse
                        		high
                        maps.google.com
                        		142.250.203.110
                        		truefalse
                          		high
                          www.google.com
                          		142.250.203.100
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://www.000webhost.com/migrate?static=truefalse
                              		high
                              https://consent.google.com/ml?continue=https://www.google.com/maps?saddr%3D31.2087496,29.9091634&gl=GB&m=0&pc=m&uxe=eomtm&hl=de&src=1false
                                		high
                                https://www.google.com/maps?saddr=31.2087496,29.9091634&z=10false
                                  		high
                                  http://maps.google.com/?saddr=31.2087496,29.9091634&z=10false
                                    		high
                                    http://can-sat.netai.net/livestream/false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://maps.google.com/maps?saddr=31.2087496,29.9091634&z=10false
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.000webhost.com/migrate?static=trueslarinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://127.0.0.1:HTTP/1.1arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://en.wDarinzezx.exe, 00000001.00000003.328011792.0000000008042000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.328069691.0000000008044000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.327966259.0000000008040000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designersGarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designersAnyarinzezx.exe, 00000001.00000003.331202082.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331229601.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331180508.0000000008070000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fonts.comcDarinzezx.exe, 00000001.00000003.324211844.000000000804B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://can-sat.netai.net/livestream/rarinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/?arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://csp.withgoogle.com/csp/report-to/ConsentHttp/externalarinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.397304814.000000000BAD9000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.362398365.000000000BAD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/bThearinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://ocsp.sectigo.com0arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers?arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://DtM6GM1g5LTlJoVP.orgarinzezx.exe, 00000004.00000002.590311251.000000000376C000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000004.00000002.589851489.0000000003704000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.tiro.comarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://cp5ua.hyperhost.uaarinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designersarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.goodfont.co.krarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.000webhost.com/migrate?static=truekMarinzezx.exe, 00000001.00000002.391809381.000000000AFAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://maps.google.com/?saddr=31.2087496arinzezx.exe, 00000001.00000002.371377972.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://YthClZ.comarinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://can-sat.netai.net/yarinzezx.exe, 00000001.00000002.391809381.000000000AFAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://consent.google.com/arinzezx.exe, 00000001.00000002.396430673.000000000B03C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.sajatypeworks.comarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.typography.netDarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cn/cThearinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htmarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://can-sat.netai.net/livestream/Hxarinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://fontfabrik.comarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.000webhost.com/migrate?static=truecarinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://DynDns.comDynDNSnamejidpasswordPsi/Psiarinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleasearinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.ascendercorp.com/typedesigners.htmlarinzezx.exe, 00000001.00000003.329249971.0000000008034000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fonts.comarinzezx.exe, 00000001.00000003.324250155.000000000804B000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.krarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.urwpp.deDPleasearinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.000webhost.com/Xarinzezx.exe, 00000001.00000002.396226962.000000000B014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.zhongyicts.com.cnarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sakkal.comarinzezx.exe, 00000001.00000003.329765672.0000000008041000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://can-sat.netai.net/livestream/CgCarinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://can-sat.netai.narinzezx.exe, 00000001.00000002.368306823.0000000000B74000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://can-sat.netai.net/livestream/5arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.apache.org/licenses/LICENSE-2.0arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.comarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://sectigo.com/CPS0arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://can-sat.netai.net/livestream/ions.AddInAdapter.v10.0arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://consent.google.com/ml?continue=https://www.google.com/maps?saddr%3D31.2087496arinzezx.exe, 00000001.00000002.396163809.000000000B009000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwarinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://maps.google.com/arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://can-sat.netai.net/livestream/tldiarinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://can-sat.netai.net/5arinzezx.exe, 00000001.00000002.368986456.0000000000E90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designerse~arinzezx.exe, 00000001.00000003.330821049.0000000008070000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.carterandcone.comlarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers/cabarga.htmlNarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.fontbureau.com/designers2~arinzezx.exe, 00000001.00000003.331818514.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331395636.0000000008070000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.ascendercorp.com/typedesigners.htmluarinzezx.exe, 00000001.00000003.329249971.0000000008034000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.founder.com.cn/cnarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.fontbureau.com/designers/frere-jones.htmlarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.tiro.comYarinzezx.exe, 00000001.00000003.324693815.000000000804B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.jiyu-kobo.co.jp/arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://maps.google.com/maps?saddr=31.2087496arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.000webhost.com/arinzezx.exe, 00000001.00000002.396226962.000000000B014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://can-sat.netai.net/livestream/46arinzezx.exe, 00000001.00000002.368986456.0000000000E90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://can-sat.netai.net/livestream/earinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.fontbureau.com/designers8arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.google.com/_arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://can-sat.netai.net/livestream/llarinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.google.com/arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.google.com/maps?saddr=31.2087496arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.google.com/maps?saddr%3D31.2087496arinzezx.exe, 00000001.00000002.391736808.000000000AFA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              216.58.215.238
                                                                                              		consent.google.comUnited States
                                                                                              		15169GOOGLEUSfalse
                                                                                              104.19.184.120
                                                                                              		www.000webhost.comUnited States
                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                              142.250.203.100
                                                                                              		www.google.comUnited States
                                                                                              		15169GOOGLEUSfalse
                                                                                              153.92.0.100
                                                                                              		can-sat.netai.netGermany
                                                                                              		204915AWEXUSfalse
                                                                                              142.250.203.110
                                                                                              		maps.google.comUnited States
                                                                                              		15169GOOGLEUSfalse
                                                                                              91.235.128.141
                                                                                              		cp5ua.hyperhost.uaUkraine
                                                                                              		15626ITLASUAfalse

                                                                                              Private

                                                                                              IP
                                                                                              192.168.2.1

                                                                                              General Information

                                                                                              Joe Sandbox Version:35.0.0 Citrine
                                                                                              Analysis ID:694556
                                                                                              Start date and time:2022-08-31 23:46:48 +02:00
                                                                                              Joe Sandbox Product:CloudBasic
                                                                                              Overall analysis duration:0h 11m 36s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Sample file name:arinzezx.exe
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                              Number of analysed new started processes analysed:18
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • HDC enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.spyw.evad.winEXE@5/2@6/7
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              HDC Information:Failed
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 94%
                                                                                              • Number of executed functions: 13
                                                                                              • Number of non-executed functions: 9
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe
                                                                                              • Adjust boot time
                                                                                              • Enable AMSI

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                              • Excluded domains from analysis (whitelisted): eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • VT rate limit hit for: arinzezx.exe

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              23:48:05API Interceptor666x Sleep call for process: arinzezx.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              104.19.184.1203Xcd0v5uzp.exeGet hashmaliciousBrowse
                                                                                              • www.000webhost.com/migrate?static=true
                                                                                              153.92.0.100INV_PackingL_202208031_0104.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              quotation.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              aZRjd3RCg7.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              1bvMFh26BM.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              STEEL-GI PHOTO FROM SMC STEEL GROUP CO.xlsxGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              E-tender 05-2022-Post Tender Clarification Form-Ms. NAFAL CONTRACTING TRADING CO LLC.xlsxGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              ESTADO DE CUENTA DHL - 1606561674.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              Swift_010TRF-20223108.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              Ordem de compra.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              Nova ordem.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              Egacid2z8g.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              Pedido Sandero.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              dhl.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              DHL DOCUMENT.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              Request Quotation no.QT-672470.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              SecuriteInfo.com.Variant.Tedy.195528.12582.26764.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              0131 Hk..exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              SecuriteInfo.com.Trojan.GenericKD.61631282.22936.24614.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              SecuriteInfo.com.Variant.Tedy.195528.25324.29651.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/
                                                                                              damianozx.exeGet hashmaliciousBrowse
                                                                                              • can-sat.netai.net/livestream/

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              can-sat.netai.netINV_PackingL_202208031_0104.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              quotation.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              aZRjd3RCg7.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              1bvMFh26BM.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              STEEL-GI PHOTO FROM SMC STEEL GROUP CO.xlsxGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              E-tender 05-2022-Post Tender Clarification Form-Ms. NAFAL CONTRACTING TRADING CO LLC.xlsxGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              ESTADO DE CUENTA DHL - 1606561674.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Swift_010TRF-20223108.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Ordem de compra.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Nova ordem.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Egacid2z8g.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Pedido Sandero.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              dhl.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              DHL DOCUMENT.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Request Quotation no.QT-672470.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              SecuriteInfo.com.Variant.Tedy.195528.12582.26764.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              0131 Hk..exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              SecuriteInfo.com.Trojan.GenericKD.61631282.22936.24614.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              SecuriteInfo.com.Variant.Tedy.195528.25324.29651.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              damianozx.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              CLOUDFLARENETUSTHN6clTA6P.exeGet hashmaliciousBrowse
                                                                                              • 104.21.68.165
                                                                                              https://rfp-skytech.myportfolio.com/Get hashmaliciousBrowse
                                                                                              • 104.18.11.207
                                                                                              INV_PackingL_202208031_0104.exeGet hashmaliciousBrowse
                                                                                              • 104.19.185.120
                                                                                              fraiche_0831003.jsGet hashmaliciousBrowse
                                                                                              • 162.159.135.233
                                                                                              file.exeGet hashmaliciousBrowse
                                                                                              • 188.114.97.3
                                                                                              PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                              • 188.114.97.3
                                                                                              FedEx.exeGet hashmaliciousBrowse
                                                                                              • 188.114.96.3
                                                                                              E-dekont.exeGet hashmaliciousBrowse
                                                                                              • 23.227.38.74
                                                                                              quotation.exeGet hashmaliciousBrowse
                                                                                              • 104.19.185.120
                                                                                              22D1530H.exeGet hashmaliciousBrowse
                                                                                              • 162.159.135.233
                                                                                              aZRjd3RCg7.exeGet hashmaliciousBrowse
                                                                                              • 104.19.185.120
                                                                                              1bvMFh26BM.exeGet hashmaliciousBrowse
                                                                                              • 104.19.184.120
                                                                                              STEEL-GI PHOTO FROM SMC STEEL GROUP CO.xlsxGet hashmaliciousBrowse
                                                                                              • 104.19.185.120
                                                                                              http://gogoanime.runGet hashmaliciousBrowse
                                                                                              • 104.17.25.14
                                                                                              E-tender 05-2022-Post Tender Clarification Form-Ms. NAFAL CONTRACTING TRADING CO LLC.xlsxGet hashmaliciousBrowse
                                                                                              • 104.19.185.120
                                                                                              ESTADO DE CUENTA DHL - 1606561674.exeGet hashmaliciousBrowse
                                                                                              • 104.19.184.120
                                                                                              Swift_010TRF-20223108.exeGet hashmaliciousBrowse
                                                                                              • 104.19.184.120
                                                                                              Ordem de compra.exeGet hashmaliciousBrowse
                                                                                              • 104.19.184.120
                                                                                              Nova ordem.exeGet hashmaliciousBrowse
                                                                                              • 104.19.184.120
                                                                                              https://sharepointeln-online.mfs.gg/aswm47BGet hashmaliciousBrowse
                                                                                              • 172.67.74.85
                                                                                              AWEXUSINV_PackingL_202208031_0104.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Nopyfy-Ransomware.bin.exeGet hashmaliciousBrowse
                                                                                              • 145.14.145.62
                                                                                              quotation.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              aZRjd3RCg7.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              1bvMFh26BM.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              STEEL-GI PHOTO FROM SMC STEEL GROUP CO.xlsxGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              E-tender 05-2022-Post Tender Clarification Form-Ms. NAFAL CONTRACTING TRADING CO LLC.xlsxGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              ESTADO DE CUENTA DHL - 1606561674.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Swift_010TRF-20223108.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Ordem de compra.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Nova ordem.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Egacid2z8g.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Pedido Sandero.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              dhl.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              DHL DOCUMENT.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              Request Quotation no.QT-672470.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              SecuriteInfo.com.Variant.Tedy.195528.12582.26764.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              0131 Hk..exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              SecuriteInfo.com.Trojan.GenericKD.61631282.22936.24614.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100
                                                                                              SecuriteInfo.com.Variant.Tedy.195528.25324.29651.exeGet hashmaliciousBrowse
                                                                                              • 153.92.0.100

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              37f463bf4616ecd445d4a1937da06e19https://www.evernote.com/shard/s601/sh/37d985c2-2862-575c-145e-8cd169549bc8/518d16a0d112c168ac6c447977a15cc1Get hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              INV_PackingL_202208031_0104.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              https://placementrcr.ca/adobe.sharepoint/office2021/wamp.php?cramp=020202Get hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              quotation.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              aZRjd3RCg7.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              1bvMFh26BM.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              purchase order.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              ESTADO DE CUENTA DHL - 1606561674.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              Swift_010TRF-20223108.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              Ordem de compra.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              Nova ordem.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              https://sharepointeln-online.mfs.gg/aswm47BGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              J8ctxW2E0C.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              6DDMqXpUUx.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              eL2DUzHO1a.dllGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              Egacid2z8g.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              eL2DUzHO1a.dllGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              Pedido Sandero.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              dhl.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100
                                                                                              BpG12M3con.exeGet hashmaliciousBrowse
                                                                                              • 216.58.215.238
                                                                                              • 104.19.184.120
                                                                                              • 142.250.203.100

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\arinzezx.exe.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\arinzezx.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):1421
                                                                                              Entropy (8bit):5.3458551807012835
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE49E4184F0:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz8
                                                                                              MD5:DD8C1D6EF5A3F10AA0CAC71550CF950A
                                                                                              SHA1:9EBD88472EFFCE6D3CB76038B1F18091D6380083
                                                                                              SHA-256:A711E30BAC1BD29BF2FFA7FDA00D2F01E1978DA22F2F941E877B5C3A8476F17F
                                                                                              SHA-512:2130B3804715A279E40B085702552BCB647AA5F0ED39FD1E90A8F963C8EB6D736190CB37147427C1A9CCA1AB0AF30BAB62649E045116334DF52923F0A7406A6F
                                                                                              Malicious:true
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\livestream[1].htm

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\arinzezx.exe
                                                                                              File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):162
                                                                                              Entropy (8bit):4.43530643106624
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu
                                                                                              MD5:4F8E702CC244EC5D4DE32740C0ECBD97
                                                                                              SHA1:3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF
                                                                                              SHA-256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
                                                                                              SHA-512:21047FEA5269FEE75A2A187AA09316519E35068CB2F2F76CFAF371E5224445E9D5C98497BD76FB9608D2B73E9DAC1A3F5BFADFDC4623C479D53ECF93D81D3C9F
                                                                                              Malicious:false
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview:<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Entropy (8bit):7.2761539654732506
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                              File name:arinzezx.exe
                                                                                              File size:1527808
                                                                                              MD5:314c678d85f7927a42f34797627532e1
                                                                                              SHA1:1a1695ee1411cc14754cc92e14a6243ee7af81d1
                                                                                              SHA256:e5b9cc21b8de77e68e03e202609511b8b57d1ea278d6cd0fe0b7fb454f1d7432
                                                                                              SHA512:40b9a9373cd8590cb70d8ba289d4fe0d83d5dbff81a6b6c17baf03142f4627fdeee36547a15b5b4d2b77c650ea74001ee10abe98ec6f6ba8333e9cdf57f2ca09
                                                                                              SSDEEP:24576:H+tsF5jvq3uXN7+ZZ56+ncKxRGXUO+C+0/suliuM:ec5jvt856+ncaO+CV/sa
                                                                                              TLSH:BD655B9C7650B2AFC817CE76CAA45C24F6A0B56B430BE743A05326ED9D0D69BCF150F2
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{l.c..............0..$...*.......B... ...`....@.. ....................................@................................

                                                                                              File Icon

                                                                                              Icon Hash:f0e4d068c4f4d470

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x57422e
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x630F6C7B [Wed Aug 31 14:13:15 2022 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:4
                                                                                              OS Version Minor:0
                                                                                              File Version Major:4
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:4
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              jmp dword ptr [00402000h]
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1741e00x4b.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1760000x2620.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x17a0000xc.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x20000x1722340x172400False0.692158618543214data7.276869829356131IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rsrc0x1760000x26200x2800False0.8513671875data7.217519667394241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0x17a0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountry
                                                                                              RT_ICON0x1761300x1fcbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                              RT_GROUP_ICON0x1780fc0x14data
                                                                                              RT_VERSION0x1781100x320data
                                                                                              RT_MANIFEST0x1784300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                              Imports

                                                                                              DLLImport
                                                                                              mscoree.dll_CorExeMain

                                                                                              Network Behavior

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Aug 31, 2022 23:48:04.576775074 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:04.577162981 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:04.593622923 CEST8049714142.250.203.110192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.593744993 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:04.595390081 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:04.612171888 CEST8049714142.250.203.110192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.699640989 CEST8049714142.250.203.110192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.699734926 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:04.709311008 CEST8049715153.92.0.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.709398031 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:04.734621048 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:04.738118887 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:04.755947113 CEST8049714142.250.203.110192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.866863012 CEST8049715153.92.0.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.866895914 CEST8049715153.92.0.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.867017984 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:06.168876886 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:06.168926001 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:06.169018030 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:06.386010885 CEST8049714142.250.203.110192.168.2.5
                                                                                              Aug 31, 2022 23:48:06.386142969 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:06.574127913 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:06.574150085 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:06.627569914 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:06.627779961 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:09.230206966 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:09.230243921 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:09.230318069 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:09.866502047 CEST8049715153.92.0.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:09.866643906 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:09.873178959 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:09.873193979 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:09.930548906 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:09.930721998 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:10.719584942 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:10.719602108 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.719846010 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:10.719861984 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.719871998 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.719922066 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:10.720099926 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.720168114 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:10.723875046 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:10.724464893 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:10.747525930 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.747577906 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.747678041 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:10.747699022 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:10.767368078 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.369606972 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.369786978 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.369798899 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.369852066 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.381283998 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.381340981 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.381407976 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.381418943 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.402407885 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.402427912 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.402451038 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.402487993 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.445267916 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.445334911 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.445437908 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.495666981 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.495704889 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.558326006 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.558475971 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.560187101 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.560255051 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.591414928 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.591439009 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.591686964 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.591770887 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.593329906 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.635369062 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.653110981 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.653152943 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.653192043 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.653218031 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.653233051 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.653261900 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.654133081 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.654172897 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.654202938 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.654211998 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.654249907 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.654275894 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.655402899 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.655468941 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.655528069 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.655570984 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.656781912 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.656836033 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.656836987 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.656868935 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.656898022 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.656919003 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.657917023 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.657993078 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.659199953 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.659282923 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.659296989 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.659313917 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.659343958 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.659373999 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:31.108772993 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:31.108858109 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:31.108885050 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:31.109146118 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:33.970053911 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.022224903 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.022351980 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.138493061 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.138813019 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.191039085 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.191276073 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.246081114 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.264950991 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.321764946 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.321800947 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.321822882 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.321841002 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.321887016 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.321918011 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.323257923 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.394294024 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.446861029 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.613181114 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.665515900 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.667419910 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.720249891 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.720848083 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.774015903 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.774840117 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.827084064 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.833492994 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.925647974 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.926819086 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.927140951 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.979504108 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.979561090 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:34.981312990 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.981462955 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.982074976 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:34.982208014 CEST49725587192.168.2.591.235.128.141
                                                                                              Aug 31, 2022 23:48:35.033469915 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:35.033523083 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:35.034049988 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:35.034097910 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:35.036840916 CEST5874972591.235.128.141192.168.2.5
                                                                                              Aug 31, 2022 23:48:35.119149923 CEST49725587192.168.2.591.235.128.141

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Aug 31, 2022 23:48:04.422735929 CEST4917753192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:04.450783968 CEST53491778.8.8.8192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.527575016 CEST6145253192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:04.558106899 CEST53614528.8.8.8192.168.2.5
                                                                                              Aug 31, 2022 23:48:06.056193113 CEST6532353192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:06.078233957 CEST53653238.8.8.8192.168.2.5
                                                                                              Aug 31, 2022 23:48:07.941476107 CEST5148453192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:07.969182014 CEST53514848.8.8.8192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.412324905 CEST6344653192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:12.440073013 CEST53634468.8.8.8192.168.2.5
                                                                                              Aug 31, 2022 23:48:33.922821045 CEST6097553192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:33.950745106 CEST53609758.8.8.8192.168.2.5

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                              Aug 31, 2022 23:48:04.422735929 CEST192.168.2.58.8.8.80x7761Standard query (0)maps.google.comA (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:04.527575016 CEST192.168.2.58.8.8.80xb174Standard query (0)can-sat.netai.netA (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:06.056193113 CEST192.168.2.58.8.8.80x59e3Standard query (0)www.000webhost.comA (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:07.941476107 CEST192.168.2.58.8.8.80xa65dStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:12.412324905 CEST192.168.2.58.8.8.80xf296Standard query (0)consent.google.comA (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:33.922821045 CEST192.168.2.58.8.8.80xe3ebStandard query (0)cp5ua.hyperhost.uaA (IP address)IN (0x0001)

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                              Aug 31, 2022 23:48:04.450783968 CEST8.8.8.8192.168.2.50x7761No error (0)maps.google.com142.250.203.110A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:04.558106899 CEST8.8.8.8192.168.2.50xb174No error (0)can-sat.netai.net153.92.0.100A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:06.078233957 CEST8.8.8.8192.168.2.50x59e3No error (0)www.000webhost.com104.19.184.120A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:06.078233957 CEST8.8.8.8192.168.2.50x59e3No error (0)www.000webhost.com104.19.185.120A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:07.969182014 CEST8.8.8.8192.168.2.50xa65dNo error (0)www.google.com142.250.203.100A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:12.440073013 CEST8.8.8.8192.168.2.50xf296No error (0)consent.google.com216.58.215.238A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:33.950745106 CEST8.8.8.8192.168.2.50xe3ebNo error (0)cp5ua.hyperhost.ua91.235.128.141A (IP address)IN (0x0001)

                                                                                              HTTP Request Dependency Graph

                                                                                              • www.google.com
                                                                                              • www.000webhost.com
                                                                                              • consent.google.com
                                                                                              • maps.google.com
                                                                                              • can-sat.netai.net

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              0192.168.2.549717142.250.203.100443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              1192.168.2.549716104.19.184.120443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              2192.168.2.549718216.58.215.238443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              3192.168.2.549714142.250.203.11080C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Aug 31, 2022 23:48:04.595390081 CEST822OUTGET /?saddr=31.2087496,29.9091634&z=10 HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Host: maps.google.com
                                                                                              Connection: Keep-Alive
                                                                                              Aug 31, 2022 23:48:04.699640989 CEST823INHTTP/1.1 302 Found
                                                                                              Location: http://maps.google.com/maps?saddr=31.2087496,29.9091634&z=10
                                                                                              Cache-Control: private
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Date: Wed, 31 Aug 2022 21:48:04 GMT
                                                                                              Server: gws
                                                                                              Content-Length: 261
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Set-Cookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg; expires=Mon, 27-Feb-2023 21:48:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                              Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6d 61 70 73 3f 73 61 64 64 72 3d 33 31 2e 32 30 38 37 34 39 36 2c 32 39 2e 39 30 39 31 36 33 34 26 61 6d 70 3b 7a 3d 31 30 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                              Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://maps.google.com/maps?saddr=31.2087496,29.9091634&amp;z=10">here</A>.</BODY></HTML>
                                                                                              Aug 31, 2022 23:48:04.738118887 CEST824OUTGET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Host: maps.google.com
                                                                                              Connection: Keep-Alive
                                                                                              Aug 31, 2022 23:48:06.386010885 CEST884INHTTP/1.1 302 Found
                                                                                              Location: https://www.google.com:443/maps?saddr=31.2087496,29.9091634&z=10
                                                                                              Cache-Control: private
                                                                                              Timing-Allow-Origin: https://www.google.com
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-RbpRIc1wZu3MpKqYcMBkxg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/maps-tactile
                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/maps-tactile"}]}
                                                                                              Date: Wed, 31 Aug 2022 21:48:06 GMT
                                                                                              Server: gws
                                                                                              Content-Length: 265
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 3a 34 34 33 2f 6d 61 70 73 3f 73 61 64 64 72 3d 33 31 2e 32 30 38 37 34 39 36 2c 32 39 2e 39 30 39 31 36 33 34 26 61 6d 70 3b 7a 3d 31 30 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                              Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com:443/maps?saddr=31.2087496,29.9091634&amp;z=10">here</A>.</BODY></HTML>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              4192.168.2.549715153.92.0.10080C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Aug 31, 2022 23:48:04.734621048 CEST824OUTGET /livestream/ HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Host: can-sat.netai.net
                                                                                              Connection: Keep-Alive
                                                                                              Aug 31, 2022 23:48:04.866895914 CEST836INHTTP/1.1 301 Moved Permanently
                                                                                              Server: nginx
                                                                                              Date: Wed, 31 Aug 2022 21:48:04 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 162
                                                                                              Connection: keep-alive
                                                                                              Location: https://www.000webhost.com/migrate?static=true
                                                                                              X-Frame-Options: sameorigin
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              0192.168.2.549717142.250.203.100443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2022-08-31 21:48:10 UTC0OUTGET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Connection: Keep-Alive
                                                                                              Host: www.google.com
                                                                                              Cookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg
                                                                                              2022-08-31 21:48:12 UTC1INHTTP/1.1 302 Found
                                                                                              Location: https://consent.google.com/ml?continue=https://www.google.com/maps?saddr%3D31.2087496,29.9091634&gl=GB&m=0&pc=m&uxe=eomtm&hl=de&src=1
                                                                                              Cache-Control: private
                                                                                              Timing-Allow-Origin: https://www.google.com
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-eYZYv7vRwthqp9Ru1E-35A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/maps-tactile
                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/maps-tactile"}]}
                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                              Date: Wed, 31 Aug 2022 21:48:12 GMT
                                                                                              Server: gws
                                                                                              Content-Length: 354
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Set-Cookie: __Secure-ENID=6.SE=bAHSQtLrQMWxy_tqz0WaDaeFL1W5VOmOKkO5mBuNXISIweN8ghtdM05hF-gECfwTJ28xI6MWi6sNJZJsO8QjQObRoGTdPzM-68Gkxop6bVdx8jKoV8MxbLdPgIHJvYSyjREMuxUbqTR9T7NbGnUtXMHWrPSNiDAhrFDcYhFn5sM; expires=Sun, 01-Oct-2023 14:06:30 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                              Set-Cookie: CONSENT=PENDING+026; expires=Fri, 30-Aug-2024 21:48:10 GMT; path=/; domain=.google.com; Secure
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                              Connection: close
                                                                                              2022-08-31 21:48:12 UTC2INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 6e 73 65 6e 74 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6d 6c 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6d 61 70 73 3f 73 61 64 64 72 25 33 44 33 31 2e 32 30 38 37 34 39 36 2c 32
                                                                                              Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://consent.google.com/ml?continue=https://www.google.com/maps?saddr%3D31.2087496,2


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              1192.168.2.549716104.19.184.120443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2022-08-31 21:48:10 UTC0OUTGET /migrate?static=true HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Connection: Keep-Alive
                                                                                              Host: www.000webhost.com
                                                                                              2022-08-31 21:48:10 UTC0INHTTP/1.1 403 Forbidden
                                                                                              Date: Wed, 31 Aug 2022 21:48:10 GMT
                                                                                              Content-Type: text/plain; charset=UTF-8
                                                                                              Content-Length: 16
                                                                                              Connection: close
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Referrer-Policy: same-origin
                                                                                              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 7438f8070c269b76-FRA
                                                                                              alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                              2022-08-31 21:48:10 UTC1INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                                              Data Ascii: error code: 1020


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              2192.168.2.549718216.58.215.238443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2022-08-31 21:48:12 UTC2OUTGET /ml?continue=https://www.google.com/maps?saddr%3D31.2087496,29.9091634&gl=GB&m=0&pc=m&uxe=eomtm&hl=de&src=1 HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Connection: Keep-Alive
                                                                                              Host: consent.google.com
                                                                                              Cookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg; __Secure-ENID=6.SE=bAHSQtLrQMWxy_tqz0WaDaeFL1W5VOmOKkO5mBuNXISIweN8ghtdM05hF-gECfwTJ28xI6MWi6sNJZJsO8QjQObRoGTdPzM-68Gkxop6bVdx8jKoV8MxbLdPgIHJvYSyjREMuxUbqTR9T7NbGnUtXMHWrPSNiDAhrFDcYhFn5sM; CONSENT=PENDING+026
                                                                                              2022-08-31 21:48:12 UTC3INHTTP/1.1 200 OK
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                              Date: Wed, 31 Aug 2022 21:48:12 GMT
                                                                                              Content-Security-Policy: script-src 'nonce-RRrq1WooZd6hewPTbB8fdA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/ConsentHttp/cspreport;worker-src 'self'
                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                              Cross-Origin-Resource-Policy: same-site
                                                                                              Report-To: {"group":"ConsentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ConsentHttp/external"}]}
                                                                                              Content-Security-Policy-Report-Only: require-trusted-types-for 'script';report-uri /_/ConsentHttp/cspreport
                                                                                              Cross-Origin-Opener-Policy: unsafe-none; report-to="ConsentHttp"
                                                                                              Server: ESF
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                              Accept-Ranges: none
                                                                                              Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                                                              Connection: close
                                                                                              Transfer-Encoding: chunked
                                                                                              2022-08-31 21:48:12 UTC5INData Raw: 33 36 64 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 22 20 64 69 72 3d 22 6c 74 72 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 44 66 6f 69 79 73 4c 6d 6a 6f 4a 56 67 4f 78 6f 4d 61 43 45 72 67 22 3e 0a 61 2c 20 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 2c 20 61 3a 61 63 74 69 76 65 2c 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 31 61 37 33 65 38 3b 0a 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 52 6f 62 6f 74 6f 44 72 61 66 74 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 74 65 78 74 2d
                                                                                              Data Ascii: 36da<!DOCTYPE html><html lang="de" dir="ltr"><head><style nonce="DfoiysLmjoJVgOxoMaCErg">a, a:link, a:visited, a:active, a:hover { color: #1a73e8; text-decoration: none;}body { font-family: Roboto,RobotoDraft,Helvetica,Arial,sans-serif; text-
                                                                                              2022-08-31 21:48:12 UTC6INData Raw: 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 68 65 69 67 68 74 3a 20 33 36 70 78 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 20 34 70 78 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 38 70 78 20 32 34 70 78 3b 0a 7d 0a 2e 68 61 69 72 6c 69 6e 65 62 75 74 74 6f 6e 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 70 78 3b 0a 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 64 61 64 63 65 30 3b 0a 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0a 20 20 6d 61 78 2d 68 65 69 67 68 74 3a 20
                                                                                              Data Ascii: Helvetica,Arial,sans-serif; font-size: 14px; font-weight: 500; height: 36px; margin: 12px 4px 0; padding: 8px 24px;}.hairlinebutton { background-color: #fff; border-width: 1px; border-color: #dadce0; border-style: solid; max-height:
                                                                                              2022-08-31 21:48:12 UTC7INData Raw: 64 74 68 3a 20 33 36 30 70 78 3b 0a 7d 0a 0a 2f 2a 2a 20 4e 61 72 72 6f 77 20 73 63 72 65 65 6e 20 28 66 6f 72 20 65 78 61 6d 70 6c 65 20 61 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 29 2e 20 2a 2f 0a 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 34 38 30 70 78 29 20 7b 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 38 70 78 20 31 34 70 78 3b 0a 20 20 7d 0a 20 20 2e 66 6f 6f 74 65 72 20 66 6f 72 6d 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 70 78 3b 0a 20 20 7d 0a 20 20 2e 69 6d 67 43 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 36 70 78 3b 0a 20 20 7d 0a 20 20 62 75 74 74 6f 6e 2c 20 2e 62 75 74 74 6f 6e 20 7b 0a
                                                                                              Data Ascii: dth: 360px;}/** Narrow screen (for example a mobile device). */@media only screen and (max-width: 480px) { body { margin: 18px 14px; } .footer form { margin-bottom: 3px; } .imgContainer { min-width: 96px; } button, .button {
                                                                                              2022-08-31 21:48:12 UTC9INData Raw: 61 65 3d 63 62 2d 65 6f 6d 74 6d 22 20 63 6c 61 73 73 3d 22 62 61 73 65 62 75 74 74 6f 6e 20 68 61 69 72 6c 69 6e 65 62 75 74 74 6f 6e 22 3e 41 6e 6d 65 6c 64 65 6e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 36 38 78 32 38 64 70 2e 70 6e 67 22 20 73 72 63 73 65 74 3d 22 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 36 38 78 32 38 64 70 2e 70 6e 67 20
                                                                                              Data Ascii: ae=cb-eomtm" class="basebutton hairlinebutton">Anmelden</a></div><div class="box"><img src="//www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_68x28dp.png" srcset="//www.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_68x28dp.png
                                                                                              2022-08-31 21:48:12 UTC10INData Raw: 68 72 65 6d 20 53 74 61 6e 64 6f 72 74 20 62 65 65 69 6e 66 6c 75 73 73 74 2e 20 4e 69 63 68 74 20 70 65 72 73 6f 6e 61 6c 69 73 69 65 72 74 65 20 57 65 72 62 75 6e 67 20 77 69 72 64 20 76 6f 6e 20 64 65 6e 20 49 6e 68 61 6c 74 65 6e 2c 20 64 69 65 20 53 69 65 20 73 69 63 68 20 67 65 72 61 64 65 20 61 6e 73 65 68 65 6e 2c 20 75 6e 64 20 49 68 72 65 6d 20 75 6e 67 65 66 c3 a4 68 72 65 6e 20 53 74 61 6e 64 6f 72 74 20 62 65 65 69 6e 66 6c 75 73 73 74 2e 20 50 65 72 73 6f 6e 61 6c 69 73 69 65 72 74 65 20 49 6e 68 61 6c 74 65 20 75 6e 64 20 57 65 72 62 75 6e 67 20 6b c3 b6 6e 6e 65 6e 20 61 75 63 68 20 72 65 6c 65 76 61 6e 74 65 72 65 20 45 72 67 65 62 6e 69 73 73 65 2c 20 45 6d 70 66 65 68 6c 75 6e 67 65 6e 20 75 6e 64 20 69 6e 64 69 76 69 64 75 65 6c 6c 65
                                                                                              Data Ascii: hrem Standort beeinflusst. Nicht personalisierte Werbung wird von den Inhalten, die Sie sich gerade ansehen, und Ihrem ungefhren Standort beeinflusst. Personalisierte Inhalte und Werbung knnen auch relevantere Ergebnisse, Empfehlungen und individuelle
                                                                                              2022-08-31 21:48:12 UTC12INData Raw: 4f 53 54 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 62 6c 22 20 76 61 6c 75 65 3d 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 75 69 73 65 72 76 65 72 5f 32 30 32 32 30 38 32 38 2e 31 34 5f 70 30 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 78 22 20 76 61 6c 75 65 3d 22 38 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 67 6c 22 20 76 61 6c 75 65 3d 22 47 42 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 6d 22 20 76 61 6c 75 65 3d 22 30 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20
                                                                                              Data Ascii: OST" style="display:inline;"><input type="hidden" name="bl" value="boq_identityfrontenduiserver_20220828.14_p0"><input type="hidden" name="x" value="8"><input type="hidden" name="gl" value="GB"><input type="hidden" name="m" value="0"><input type="hidden"
                                                                                              2022-08-31 21:48:12 UTC13INData Raw: 75 65 3d 22 41 6c 6c 65 20 61 6b 7a 65 70 74 69 65 72 65 6e 22 20 63 6c 61 73 73 3d 22 62 61 73 65 62 75 74 74 6f 6e 20 62 75 74 74 6f 6e 20 73 65 61 72 63 68 42 75 74 74 6f 6e 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 41 6c 6c 65 20 61 6b 7a 65 70 74 69 65 72 65 6e 22 2f 3e 3c 2f 66 6f 72 6d 3e 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 6e 73 65 6e 74 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 61 76 65 22 20 6d 65 74 68 6f 64 3d 22 50 4f 53 54 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 62 6c 22 20 76 61 6c 75 65 3d 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 75 69 73 65 72 76 65 72 5f 32 30 32 32 30
                                                                                              Data Ascii: ue="Alle akzeptieren" class="basebutton button searchButton" aria-label="Alle akzeptieren"/></form><form action="https://consent.google.com/save" method="POST" style="display:block;"><input type="hidden" name="bl" value="boq_identityfrontenduiserver_20220
                                                                                              2022-08-31 21:48:12 UTC15INData Raw: 22 65 74 22 3e 65 65 73 74 69 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 65 6e 2d 47 42 22 3e 45 6e 67 6c 69 73 68 26 6e 62 73 70 3b 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 65 6e 22 3e 45 6e 67 6c 69 73 68 26 6e 62 73 70 3b 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 65 73 22 3e 45 73 70 61 c3 b1 6f 6c 26 6e 62 73 70 3b 28 45 73 70 61 c3 b1 61 29 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 65 73 2d 34 31 39 22 3e 45 73 70 61 c3 b1 6f 6c 26 6e 62 73 70 3b 28 4c 61 74 69 6e 6f 61 6d c3 a9 72 69 63 61 29 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e
                                                                                              Data Ascii: "et">eesti</option><option value="en-GB">English&nbsp;(United Kingdom)</option><option value="en">English&nbsp;(United States)</option><option value="es">Espaol&nbsp;(Espaa)</option><option value="es-419">Espaol&nbsp;(Latinoamrica)</option><option
                                                                                              2022-08-31 21:48:12 UTC16INData Raw: ce bb ce b7 ce bd ce b9 ce ba ce ac 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 62 65 22 3e d0 b1 d0 b5 d0 bb d0 b0 d1 80 d1 83 d1 81 d0 ba d0 b0 d1 8f 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 62 67 22 3e d0 b1 d1 8a d0 bb d0 b3 d0 b0 d1 80 d1 81 d0 ba d0 b8 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 6b 79 22 3e d0 ba d1 8b d1 80 d0 b3 d1 8b d0 b7 d1 87 d0 b0 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 6b 6b 22 3e d2 9b d0 b0 d0 b7 d0 b0 d2 9b 20 d1 82 d1 96 d0 bb d1 96 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 6d 6b 22 3e d0 bc d0 b0 d0 ba d0 b5 d0 b4 d0 be d0 bd d1 81 d0 ba d0 b8 3c 2f 6f 70 74 69 6f 6e 3e 3c
                                                                                              Data Ascii: </option><option value="be"></option><option value="bg"></option><option value="ky"></option><option value="kk"> </option><option value="mk"></option><
                                                                                              2022-08-31 21:48:12 UTC18INData Raw: 22 3e ed 95 9c ea b5 ad ec 96 b4 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 6a 61 22 3e e6 97 a5 e6 9c ac e8 aa 9e 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 7a 68 2d 43 4e 22 3e e7 ae 80 e4 bd 93 e4 b8 ad e6 96 87 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 7a 68 2d 54 57 22 3e e7 b9 81 e9 ab 94 e4 b8 ad e6 96 87 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 7a 68 2d 48 4b 22 3e e7 b9 81 e9 ab 94 e4 b8 ad e6 96 87 26 6e 62 73 70 3b 28 e9 a6 99 e6 b8 af 29 3c 2f 6f 70 74 69 6f 6e 3e 3c 2f 73 65 6c 65 63 74 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 6f 6c 64 68 6c 22 20 76 61 6c 75 65 3d 22 64 65 22 3e 3c
                                                                                              Data Ascii: "></option><option value="ja"></option><option value="zh-CN"></option><option value="zh-TW"></option><option value="zh-HK">&nbsp;()</option></select><input type="hidden" name="oldhl" value="de"><
                                                                                              2022-08-31 21:48:12 UTC18INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              SMTP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                                              Aug 31, 2022 23:48:34.138493061 CEST5874972591.235.128.141192.168.2.5220-cp5ua.hyperhost.ua ESMTP Exim 4.95 #2 Thu, 01 Sep 2022 00:48:33 +0300
                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                              220 and/or bulk e-mail.
                                                                                              Aug 31, 2022 23:48:34.138813019 CEST49725587192.168.2.591.235.128.141EHLO 528110
                                                                                              Aug 31, 2022 23:48:34.191039085 CEST5874972591.235.128.141192.168.2.5250-cp5ua.hyperhost.ua Hello 528110 [102.129.143.57]
                                                                                              250-SIZE 52428800
                                                                                              250-8BITMIME
                                                                                              250-PIPELINING
                                                                                              250-PIPE_CONNECT
                                                                                              250-STARTTLS
                                                                                              250 HELP
                                                                                              Aug 31, 2022 23:48:34.191276073 CEST49725587192.168.2.591.235.128.141STARTTLS
                                                                                              Aug 31, 2022 23:48:34.246081114 CEST5874972591.235.128.141192.168.2.5220 TLS go ahead

                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:1
                                                                                              Start time:23:47:52
                                                                                              Start date:31/08/2022
                                                                                              Path:C:\Users\user\Desktop\arinzezx.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\arinzezx.exe"
                                                                                              Imagebase:0x670000
                                                                                              File size:1527808 bytes
                                                                                              MD5 hash:314C678D85F7927A42F34797627532E1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:.Net C# or VB.NET
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                              Reputation:low

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:23:48:13
                                                                                              Start date:31/08/2022
                                                                                              Path:C:\Users\user\Desktop\arinzezx.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Users\user\Desktop\arinzezx.exe
                                                                                              Imagebase:0x410000
                                                                                              File size:1527808 bytes
                                                                                              MD5 hash:314C678D85F7927A42F34797627532E1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low

                                                                                              General

                                                                                              Target ID:4
                                                                                              Start time:23:48:14
                                                                                              Start date:31/08/2022
                                                                                              Path:C:\Users\user\Desktop\arinzezx.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Users\user\Desktop\arinzezx.exe
                                                                                              Imagebase:0xf60000
                                                                                              File size:1527808 bytes
                                                                                              MD5 hash:314C678D85F7927A42F34797627532E1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:.Net C# or VB.NET
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:low

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:13.4%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:27
                                                                                                Total number of Limit Nodes:3
                                                                                                execution_graph 8478 1059630 8479 1059647 8478->8479 8483 1059880 8479->8483 8487 105986f 8479->8487 8480 1059658 8484 1059892 8483->8484 8485 105989d 8484->8485 8491 1059969 8484->8491 8485->8480 8488 1059892 8487->8488 8489 105989d 8488->8489 8490 1059969 CreateActCtxA 8488->8490 8489->8480 8490->8489 8492 1059972 8491->8492 8494 10599c8 8491->8494 8497 1059a68 8492->8497 8501 1059a59 8492->8501 8494->8485 8499 1059a8f 8497->8499 8498 1059b6c 8498->8498 8499->8498 8505 10595ec 8499->8505 8503 1059a8f 8501->8503 8502 1059b6c 8502->8502 8503->8502 8504 10595ec CreateActCtxA 8503->8504 8504->8502 8506 105aef8 CreateActCtxA 8505->8506 8508 105afbb 8506->8508 8509 105fe70 8510 105feb2 8509->8510 8511 105feb8 GetModuleHandleW 8509->8511 8510->8511 8512 105fee5 8511->8512

                                                                                                Executed Functions

                                                                                                Function 01050F58 Relevance: .2, Instructions: 250COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 700 1050f58-105102b 702 1051032-105108c 700->702 703 105102d 700->703 706 105108f 702->706 703->702 707 1051096-10510b2 706->707 708 10510b4 707->708 709 10510bb-10510bc 707->709 708->706 708->709 710 10511e5-1051200 708->710 711 1051205-1051221 708->711 712 1051226-1051238 708->712 713 10510c1-10510c5 708->713 714 1051150-1051189 708->714 715 105123d-10512ad 708->715 716 105111d-105114b 708->716 717 10510ee-1051118 708->717 718 105118e-10511a5 708->718 719 10511aa-10511c6 708->719 709->715 710->707 711->707 712->707 720 10510c7-10510d6 713->720 721 10510d8-10510df 713->721 714->707 735 10512af call 1052594 715->735 736 10512af call 1052300 715->736 737 10512af call 10522f2 715->737 738 10512af call 105264d 715->738 739 10512af call 1052a2e 715->739 740 10512af call 10525a9 715->740 741 10512af call 1052c9b 715->741 716->707 717->707 718->707 742 10511c8 call 1051898 719->742 743 10511c8 call 10518a8 719->743 723 10510e6-10510ec 720->723 721->723 723->707 730 10511ce-10511e0 730->707 734 10512b5-10512bf 735->734 736->734 737->734 738->734 739->734 740->734 741->734 742->730 743->730
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3072a5c4c5e096241a78a913c3a73ba657032690f3507b7d95bc56dbafb0c3bb
                                                                                                • Instruction ID: f2d1538608674c153e9409dc8300e26b7211440eb23d03130cb7209ffea3ef28
                                                                                                • Opcode Fuzzy Hash: 3072a5c4c5e096241a78a913c3a73ba657032690f3507b7d95bc56dbafb0c3bb
                                                                                                • Instruction Fuzzy Hash: 70B136B1E042098FCB48CFA9D9816EEBBF2FF89310F14942AE415AB355E7759941CF60
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01051008 Relevance: .2, Instructions: 207COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 882 1051008-105102b 883 1051032-105108c 882->883 884 105102d 882->884 887 105108f 883->887 884->883 888 1051096-10510b2 887->888 889 10510b4 888->889 890 10510bb-10510bc 888->890 889->887 889->890 891 10511e5-1051200 889->891 892 1051205-1051221 889->892 893 1051226-1051238 889->893 894 10510c1-10510c5 889->894 895 1051150-1051189 889->895 896 105123d-10512ad 889->896 897 105111d-105114b 889->897 898 10510ee-1051118 889->898 899 105118e-10511a5 889->899 900 10511aa-10511c6 889->900 890->896 891->888 892->888 893->888 901 10510c7-10510d6 894->901 902 10510d8-10510df 894->902 895->888 916 10512af call 1052594 896->916 917 10512af call 1052300 896->917 918 10512af call 10522f2 896->918 919 10512af call 105264d 896->919 920 10512af call 1052a2e 896->920 921 10512af call 10525a9 896->921 922 10512af call 1052c9b 896->922 897->888 898->888 899->888 923 10511c8 call 1051898 900->923 924 10511c8 call 10518a8 900->924 904 10510e6-10510ec 901->904 902->904 904->888 911 10511ce-10511e0 911->888 915 10512b5-10512bf 916->915 917->915 918->915 919->915 920->915 921->915 922->915 923->911 924->911
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4442dc844545ada965b47ceb767b70df83aa7579fd7dcc2af3584247ceea3e65
                                                                                                • Instruction ID: d3267d8a7d0e3c6aee752f8208f89c816cf83485cdac21e612ef5225b62e224c
                                                                                                • Opcode Fuzzy Hash: 4442dc844545ada965b47ceb767b70df83aa7579fd7dcc2af3584247ceea3e65
                                                                                                • Instruction Fuzzy Hash: BB91E374E002098FCB48CFE9D990AEEBBF2AF89300F14952AE815BB354D7749945CF64
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 010518A8 Relevance: .1, Instructions: 149COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1229 10518a8-10518c9 1230 10518d0-10518f5 1229->1230 1231 10518cb 1229->1231 1232 10518f7 1230->1232 1233 10518fc-1051908 1230->1233 1231->1230 1232->1233 1234 105190b 1233->1234 1235 1051912-105192e 1234->1235 1236 1051937-1051938 1235->1236 1237 1051930 1235->1237 1238 1051a84-1051a87 1236->1238 1239 105193d-105194f 1236->1239 1237->1234 1237->1238 1237->1239 1240 1051951-1051968 1237->1240 1241 1051983-105198d 1237->1241 1242 10519e8-10519fd call 1051ad8 call 1051d20 1237->1242 1243 10519b8-10519bc 1237->1243 1244 1051a6a-1051a7f 1237->1244 1245 105196a-1051981 1237->1245 1246 1051a1a-1051a21 1237->1246 1257 1051a8a call 1052069 1238->1257 1258 1051a8a call 1052078 1238->1258 1239->1235 1240->1235 1249 1051994-10519b3 1241->1249 1250 105198f 1241->1250 1256 1051a03-1051a15 1242->1256 1251 10519cf-10519d6 1243->1251 1252 10519be-10519cd 1243->1252 1244->1235 1245->1235 1247 1051a23 1246->1247 1248 1051a28-1051a65 1246->1248 1247->1248 1248->1235 1249->1235 1250->1249 1254 10519dd-10519e3 1251->1254 1252->1254 1254->1235 1255 1051a90-1051a94 1256->1235 1257->1255 1258->1255
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8093ab40c4c642f8e5bb20ec95970dcc98de451ce2cb369520ef76aed01688c4
                                                                                                • Instruction ID: 4b72d26ad7a817c3b970cd4023c58266dacd8ba2fec114084373b00ca8c820ca
                                                                                                • Opcode Fuzzy Hash: 8093ab40c4c642f8e5bb20ec95970dcc98de451ce2cb369520ef76aed01688c4
                                                                                                • Instruction Fuzzy Hash: 3B511C70E0560A9FCB48DF9AD5406AEFBF2FF89300F14D02AD455A7254D7348A41CF95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01051898 Relevance: .1, Instructions: 148COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1261 1051898-10518c9 1263 10518d0-10518f5 1261->1263 1264 10518cb 1261->1264 1265 10518f7 1263->1265 1266 10518fc-1051908 1263->1266 1264->1263 1265->1266 1267 105190b 1266->1267 1268 1051912-105192e 1267->1268 1269 1051937-1051938 1268->1269 1270 1051930 1268->1270 1271 1051a84-1051a87 1269->1271 1272 105193d-105194f 1269->1272 1270->1267 1270->1271 1270->1272 1273 1051951-1051968 1270->1273 1274 1051983-105198d 1270->1274 1275 10519e8-10519fd call 1051ad8 call 1051d20 1270->1275 1276 10519b8-10519bc 1270->1276 1277 1051a6a-1051a7f 1270->1277 1278 105196a-1051981 1270->1278 1279 1051a1a-1051a21 1270->1279 1290 1051a8a call 1052069 1271->1290 1291 1051a8a call 1052078 1271->1291 1272->1268 1273->1268 1282 1051994-10519b3 1274->1282 1283 105198f 1274->1283 1289 1051a03-1051a15 1275->1289 1284 10519cf-10519d6 1276->1284 1285 10519be-10519cd 1276->1285 1277->1268 1278->1268 1280 1051a23 1279->1280 1281 1051a28-1051a65 1279->1281 1280->1281 1281->1268 1282->1268 1283->1282 1287 10519dd-10519e3 1284->1287 1285->1287 1287->1268 1288 1051a90-1051a94 1289->1268 1290->1288 1291->1288
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 231c033f4082b1fafcccfc7f4d6d04fe5e799598d9d5e43151893e3dcdefe4f1
                                                                                                • Instruction ID: a7eab10a35491e009b1e9ebcbe313a4fd82aff2d3e7e687f5f5a460c5d7dd83f
                                                                                                • Opcode Fuzzy Hash: 231c033f4082b1fafcccfc7f4d6d04fe5e799598d9d5e43151893e3dcdefe4f1
                                                                                                • Instruction Fuzzy Hash: FD513970E0420A9FCB48CFAAD9406AEFBF2FF89300F24D52AD459A7254D7348A41CF94
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01052300 Relevance: .1, Instructions: 66COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3e43b1e70150345438e37bf9955af48ca1f3d52455ea1ce8ebd4b0bac7fcd48c
                                                                                                • Instruction ID: e40c57304354325acac83f20e8e85737c2e05181d31c9342ffd684396e847a7a
                                                                                                • Opcode Fuzzy Hash: 3e43b1e70150345438e37bf9955af48ca1f3d52455ea1ce8ebd4b0bac7fcd48c
                                                                                                • Instruction Fuzzy Hash: FF21E671E006188BEB58CF9BD8446DEBBF7AFC9310F14C16AD908A6258DB741A55CB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 010522F2 Relevance: .1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: be51196a338a0045d8216869693e01b82a7263a9c284ca8f2ac4e2585e5de3ed
                                                                                                • Instruction ID: caebfd2044725d67d87b3cae4f761cf0c6ed35c4d5c68e430a5dae4190159f95
                                                                                                • Opcode Fuzzy Hash: be51196a338a0045d8216869693e01b82a7263a9c284ca8f2ac4e2585e5de3ed
                                                                                                • Instruction Fuzzy Hash: B321E971E006588BDB59CFABD9442DEBFF3AFC9300F14C16AD409AA258DB740A45CF50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0105AEED Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 105aeed-105aef6 1 105aef8-105afb9 CreateActCtxA 0->1 3 105afc2-105b01c 1->3 4 105afbb-105afc1 1->4 11 105b01e-105b021 3->11 12 105b02b-105b02f 3->12 4->3 11->12 13 105b031-105b03d 12->13 14 105b040 12->14 13->14 16 105b041 14->16 16->16
                                                                                                APIs
                                                                                                • CreateActCtxA.KERNEL32(?), ref: 0105AFA9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID: Create
                                                                                                • String ID:
                                                                                                • API String ID: 2289755597-0
                                                                                                • Opcode ID: 117c97572224ef87244b1accd3af837a123b5dbd850727569eb29307bdcb150d
                                                                                                • Instruction ID: cd15eb049b0197e753c068f0a66f2e6ea15c8ceae76c1b768cde74005fd2e68b
                                                                                                • Opcode Fuzzy Hash: 117c97572224ef87244b1accd3af837a123b5dbd850727569eb29307bdcb150d
                                                                                                • Instruction Fuzzy Hash: 1641C0B1C00618CBDB24DFA9C844BDEBBF5BF49308F248169D458AB251DBB5694ACF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 010595EC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 17 10595ec-105afb9 CreateActCtxA 20 105afc2-105b01c 17->20 21 105afbb-105afc1 17->21 28 105b01e-105b021 20->28 29 105b02b-105b02f 20->29 21->20 28->29 30 105b031-105b03d 29->30 31 105b040 29->31 30->31 33 105b041 31->33 33->33
                                                                                                APIs
                                                                                                • CreateActCtxA.KERNEL32(?), ref: 0105AFA9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID: Create
                                                                                                • String ID:
                                                                                                • API String ID: 2289755597-0
                                                                                                • Opcode ID: 3e7d702148494a83def958f5812d79a99d4aea384346e021d6541127fc55dfb1
                                                                                                • Instruction ID: 852e109f532025b63b3c8d7515f1f17d391d4f366e48692aa8c547c6da98690e
                                                                                                • Opcode Fuzzy Hash: 3e7d702148494a83def958f5812d79a99d4aea384346e021d6541127fc55dfb1
                                                                                                • Instruction Fuzzy Hash: 4D41E0B1C00618CBDB64DFA9C8447DEBBB5FF48308F248069D458AB250DBB16989CF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0105FE70 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 34 105fe70-105feb0 35 105feb2-105feb5 34->35 36 105feb8-105fee3 GetModuleHandleW 34->36 35->36 37 105fee5-105feeb 36->37 38 105feec-105ff00 36->38 37->38
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0105FED6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID: HandleModule
                                                                                                • String ID:
                                                                                                • API String ID: 4139908857-0
                                                                                                • Opcode ID: cc89526abed6325338619daa61699f2959fbcb84beeb38edf60be183fcd62c8d
                                                                                                • Instruction ID: e26163cc7761a7749780bb67a19402fd4fa7be4dfd4c185ac3e07faafc8aa999
                                                                                                • Opcode Fuzzy Hash: cc89526abed6325338619daa61699f2959fbcb84beeb38edf60be183fcd62c8d
                                                                                                • Instruction Fuzzy Hash: 5311C0B68002499BDB10CF9AD444BDFFBF8AB88724F14845AD959A7600C379A645CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Non-executed Functions

                                                                                                Function 01055358 Relevance: 3.9, Strings: 3, Instructions: 109COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Hjp}$Hjp}$Hjp}
                                                                                                • API String ID: 0-2434924829
                                                                                                • Opcode ID: 4bb852135ff0f03dcf054cf67836b02f1718ff889b6f5718b07e1c4e46be3329
                                                                                                • Instruction ID: d4efc8a03afc21fecfaf348214b33d23e1165e85753de477fb2b5f09a38119b6
                                                                                                • Opcode Fuzzy Hash: 4bb852135ff0f03dcf054cf67836b02f1718ff889b6f5718b07e1c4e46be3329
                                                                                                • Instruction Fuzzy Hash: B1410570E0520A9FCB44CFAAC8805EEFFF2BF88310F64C46AC855A7255D7349A418FA5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01055368 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Hjp}$Hjp}$Hjp}
                                                                                                • API String ID: 0-2434924829
                                                                                                • Opcode ID: 07c85c755d765a978182e73fd3e71848efaf66714f22159871fa4bf24dd6b4df
                                                                                                • Instruction ID: 6d40d4a85a08457e3ca32337d8a6157a9d88ef508af5c39145da447193e7b62b
                                                                                                • Opcode Fuzzy Hash: 07c85c755d765a978182e73fd3e71848efaf66714f22159871fa4bf24dd6b4df
                                                                                                • Instruction Fuzzy Hash: 9741F9B0E1120A9FCB44CFAAC8805EEFBF2FB88314F64C06AD855A7354D77496418F94
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01054C40 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ~NL
                                                                                                • API String ID: 0-3268945508
                                                                                                • Opcode ID: c17332160806da7d1032f9d99700b01324f393307d643b7afe8a5089e77635f4
                                                                                                • Instruction ID: f2c6de08a32e19bb94783b44e31684c462abf9c328eb7949c7f21a65b9bdf5e9
                                                                                                • Opcode Fuzzy Hash: c17332160806da7d1032f9d99700b01324f393307d643b7afe8a5089e77635f4
                                                                                                • Instruction Fuzzy Hash: 7971F2B4D042199FCB84CF99C5819EEFBB6FF88310F14851AD855AB315E3349982CF95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01054C30 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ~NL
                                                                                                • API String ID: 0-3268945508
                                                                                                • Opcode ID: d8191421a76310bc26237456161022c839a620b50aa54987d3209bdd2cc250df
                                                                                                • Instruction ID: d04479f9a1bdcb265094f0915125ceece62d9a93e9b2093802f4f8f8329bc904
                                                                                                • Opcode Fuzzy Hash: d8191421a76310bc26237456161022c839a620b50aa54987d3209bdd2cc250df
                                                                                                • Instruction Fuzzy Hash: 5861E474E042199FCB84CFA9C5809EEFBB6FF88210F14855AD855E7315E3349A82CFA5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01055508 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 'Hr@
                                                                                                • API String ID: 0-167628295
                                                                                                • Opcode ID: 06d7b46b7acaba24d33bb1d0f8a01939daafb26feb076786670995c531ea1152
                                                                                                • Instruction ID: c92de389d7e245c972ab39ccd3628136d8b7455ba0e6f8903c48a635433f5c6e
                                                                                                • Opcode Fuzzy Hash: 06d7b46b7acaba24d33bb1d0f8a01939daafb26feb076786670995c531ea1152
                                                                                                • Instruction Fuzzy Hash: 8E61E0B4E15609CFCB48CFA9C9845EEFBF2BF88214F24942AD815B7214D7309A42CF65
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 010554F9 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 'Hr@
                                                                                                • API String ID: 0-167628295
                                                                                                • Opcode ID: c722e2107dcec7938b7e25a0f1787a66b9c149c843e670b46789a92ab9041862
                                                                                                • Instruction ID: 0bf2c84a048bcbf8d015a6246e34a306b8471f05fac8279705459b2666811438
                                                                                                • Opcode Fuzzy Hash: c722e2107dcec7938b7e25a0f1787a66b9c149c843e670b46789a92ab9041862
                                                                                                • Instruction Fuzzy Hash: 55611274E056498FCB44CFA9C9805EEFBF2BF89210F28946AD805F7224D3309A42CF65
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0105C390 Relevance: .1, Instructions: 102COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e224b8d02d2102fcef89d4e0abd467fdb6e2e707956267e423fb49a7d6936b10
                                                                                                • Instruction ID: 45d7b53fb46d25a61c30ff3b7d75d544291b6042535d46d366ed5931e47dd95f
                                                                                                • Opcode Fuzzy Hash: e224b8d02d2102fcef89d4e0abd467fdb6e2e707956267e423fb49a7d6936b10
                                                                                                • Instruction Fuzzy Hash: DE417070E013198BEB58CFA5DA817EEBBB6BF89204F14C4AAD948E7251DB300A418F10
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01050480 Relevance: .1, Instructions: 59COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3e4c58ea7f52cdea6d17bd203c1eecb6079d56ee393eef25e3b101dbe284ffd5
                                                                                                • Instruction ID: 37c551db0e16636c2aad5f9326e75c4302bccae47cc22fe50c6efed299e7c085
                                                                                                • Opcode Fuzzy Hash: 3e4c58ea7f52cdea6d17bd203c1eecb6079d56ee393eef25e3b101dbe284ffd5
                                                                                                • Instruction Fuzzy Hash: 3611CC71E016188BEB58CFABD84069FFAF7AFC8200F04C17AD908A6268EB3405468F51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01050470 Relevance: .1, Instructions: 57COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.370545393.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_1050000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e9e6735dd94603bc28d46e97f3ec00255916fd9b5f8d0db98a90d80457d401f3
                                                                                                • Instruction ID: bb0ec330dab88448087442257b48e2fe88d25c0ecdd18461c9743eb41f1c6793
                                                                                                • Opcode Fuzzy Hash: e9e6735dd94603bc28d46e97f3ec00255916fd9b5f8d0db98a90d80457d401f3
                                                                                                • Instruction Fuzzy Hash: 4421EDB1E04A188BEB58CF6B980029EFBF7AFC9200F04C07AD948A6268DB3405468F55
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Execution Graph

                                                                                                Execution Coverage:10.8%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:45
                                                                                                Total number of Limit Nodes:0
                                                                                                execution_graph 12369 193add0 12370 193adee 12369->12370 12373 1939dc0 12370->12373 12372 193ae25 12375 193c8f0 LoadLibraryA 12373->12375 12376 193c9cc 12375->12376 12377 1934540 12378 1934554 12377->12378 12381 193478a 12378->12381 12379 193455d 12382 1934793 12381->12382 12387 1934986 12381->12387 12392 1934870 12381->12392 12397 193496c 12381->12397 12402 193485f 12381->12402 12382->12379 12388 1934999 12387->12388 12389 19349ab 12387->12389 12407 1934c67 12388->12407 12412 1934c78 12388->12412 12393 19348b4 12392->12393 12394 19349ab 12393->12394 12395 1934c67 2 API calls 12393->12395 12396 1934c78 2 API calls 12393->12396 12395->12394 12396->12394 12398 193491f 12397->12398 12398->12397 12399 19349ab 12398->12399 12400 1934c67 2 API calls 12398->12400 12401 1934c78 2 API calls 12398->12401 12400->12399 12401->12399 12403 1934870 12402->12403 12404 19349ab 12403->12404 12405 1934c67 2 API calls 12403->12405 12406 1934c78 2 API calls 12403->12406 12405->12404 12406->12404 12408 1934c86 12407->12408 12417 1934cbb 12408->12417 12421 1934cc8 12408->12421 12409 1934c96 12409->12389 12413 1934c86 12412->12413 12415 1934cbb RtlEncodePointer 12413->12415 12416 1934cc8 RtlEncodePointer 12413->12416 12414 1934c96 12414->12389 12415->12414 12416->12414 12418 1934d02 12417->12418 12419 1934d2c RtlEncodePointer 12418->12419 12420 1934d55 12418->12420 12419->12420 12420->12409 12422 1934d02 12421->12422 12423 1934d2c RtlEncodePointer 12422->12423 12424 1934d55 12422->12424 12423->12424 12424->12409

                                                                                                Executed Functions

                                                                                                Function 0193C8E4 Relevance: 1.6, APIs: 1, Instructions: 92libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 193c8e4-193c947 1 193c980-193c9ca LoadLibraryA 0->1 2 193c949-193c953 0->2 7 193c9d3-193ca04 1->7 8 193c9cc-193c9d2 1->8 2->1 3 193c955-193c957 2->3 5 193c97a-193c97d 3->5 6 193c959-193c963 3->6 5->1 9 193c967-193c976 6->9 10 193c965 6->10 14 193ca06-193ca0a 7->14 15 193ca14 7->15 8->7 9->9 12 193c978 9->12 10->9 12->5 14->15 16 193ca0c 14->16 17 193ca15 15->17 16->15 17->17
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNELBASE(?), ref: 0193C9BA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.586274036.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_1930000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: 4856a03038fee77b2de9374b69f6250a23226e4f49bc1f0dfcd3b8656b949678
                                                                                                • Instruction ID: 620752acccfedb528f9b4be51b06087729b972eafe5acd1f55097693cd5d23f3
                                                                                                • Opcode Fuzzy Hash: 4856a03038fee77b2de9374b69f6250a23226e4f49bc1f0dfcd3b8656b949678
                                                                                                • Instruction Fuzzy Hash: AB3136B1D006899FDB14CFA8C885B9EFBB5BB48314F14852EE859B7380D7749486CF91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01939DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 18 1939dc0-193c947 20 193c980-193c9ca LoadLibraryA 18->20 21 193c949-193c953 18->21 26 193c9d3-193ca04 20->26 27 193c9cc-193c9d2 20->27 21->20 22 193c955-193c957 21->22 24 193c97a-193c97d 22->24 25 193c959-193c963 22->25 24->20 28 193c967-193c976 25->28 29 193c965 25->29 33 193ca06-193ca0a 26->33 34 193ca14 26->34 27->26 28->28 31 193c978 28->31 29->28 31->24 33->34 35 193ca0c 33->35 36 193ca15 34->36 35->34 36->36
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNELBASE(?), ref: 0193C9BA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.586274036.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_1930000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoad
                                                                                                • String ID:
                                                                                                • API String ID: 1029625771-0
                                                                                                • Opcode ID: f61ca15cb4e4c446c48aa30338c48d58cdfad3eea11ecde2dee522e38c426424
                                                                                                • Instruction ID: a5360ca27aff2eac1cfe83b24f52423cb218b4866dcf78e8c6e855195e5a0a2a
                                                                                                • Opcode Fuzzy Hash: f61ca15cb4e4c446c48aa30338c48d58cdfad3eea11ecde2dee522e38c426424
                                                                                                • Instruction Fuzzy Hash: 393131B0D00A499FDF14CFA8C885B9EBBB5BB48314F14852AE819B7380D7749882CF91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01934CBB Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 656 1934cbb-1934d0a 659 1934d10 656->659 660 1934d0c-1934d0e 656->660 661 1934d15-1934d20 659->661 660->661 662 1934d22-1934d53 RtlEncodePointer 661->662 663 1934d81-1934d8e 661->663 665 1934d55-1934d5b 662->665 666 1934d5c-1934d7c 662->666 665->666 666->663
                                                                                                APIs
                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 01934D42
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.586274036.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_1930000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID: EncodePointer
                                                                                                • String ID:
                                                                                                • API String ID: 2118026453-0
                                                                                                • Opcode ID: 7c79e9ec15c63fb77be270454626d97ddf430e4dcd254391fcb9117d444cd056
                                                                                                • Instruction ID: a6edb8ccf86de595ac20beb7876512cd4732ab62673be355f61ace87b1f4d203
                                                                                                • Opcode Fuzzy Hash: 7c79e9ec15c63fb77be270454626d97ddf430e4dcd254391fcb9117d444cd056
                                                                                                • Instruction Fuzzy Hash: 512189B19003058EDF50EFA9D90979EBBF8FB44328F14842AD419B3A41D7386549CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 01934CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 668 1934cc8-1934d0a 671 1934d10 668->671 672 1934d0c-1934d0e 668->672 673 1934d15-1934d20 671->673 672->673 674 1934d22-1934d53 RtlEncodePointer 673->674 675 1934d81-1934d8e 673->675 677 1934d55-1934d5b 674->677 678 1934d5c-1934d7c 674->678 677->678 678->675
                                                                                                APIs
                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 01934D42
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000004.00000002.586274036.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_4_2_1930000_arinzezx.jbxd
                                                                                                Similarity
                                                                                                • API ID: EncodePointer
                                                                                                • String ID:
                                                                                                • API String ID: 2118026453-0
                                                                                                • Opcode ID: de5c969f585ade5b9a69f6c1cf0ecf68dba09e8c008e74c7b77908de2ff02cd5
                                                                                                • Instruction ID: b9dcdf7943c9e0b663f08113be52868713c09c4ad4ccb3594104980609ac0330
                                                                                                • Opcode Fuzzy Hash: de5c969f585ade5b9a69f6c1cf0ecf68dba09e8c008e74c7b77908de2ff02cd5
                                                                                                • Instruction Fuzzy Hash: 6B1189B09003458FDF50EFA9D90879EBFF8FB44324F10842AD818A3A41CB796549CFA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%