Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
arinzezx.exe

Overview

General Information

Sample Name:arinzezx.exe
Analysis ID:694556
MD5:314c678d85f7927a42f34797627532e1
SHA1:1a1695ee1411cc14754cc92e14a6243ee7af81d1
SHA256:e5b9cc21b8de77e68e03e202609511b8b57d1ea278d6cd0fe0b7fb454f1d7432
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • arinzezx.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\arinzezx.exe" MD5: 314C678D85F7927A42F34797627532E1)
    • arinzezx.exe (PID: 6964 cmdline: C:\Users\user\Desktop\arinzezx.exe MD5: 314C678D85F7927A42F34797627532E1)
    • arinzezx.exe (PID: 6976 cmdline: C:\Users\user\Desktop\arinzezx.exe MD5: 314C678D85F7927A42F34797627532E1)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "arinzelog@steuler-kch.org", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua"}
SourceRuleDescriptionAuthorStrings
00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x300ad:$a13: get_DnsResolver
      • 0x2e8c7:$a20: get_LastAccessed
      • 0x30a2b:$a27: set_InternalServerPort
      • 0x30d47:$a30: set_GuidMasterKey
      • 0x2e9ce:$a33: get_Clipboard
      • 0x2e9dc:$a34: get_Keyboard
      • 0x2fce0:$a35: get_ShiftKeyDown
      • 0x2fcf1:$a36: get_AltKeyDown
      • 0x2e9e9:$a37: get_Password
      • 0x2f490:$a38: get_PasswordHash
      • 0x304ad:$a39: get_DefaultCredentials
      00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 10 entries
          SourceRuleDescriptionAuthorStrings
          4.0.arinzezx.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            4.0.arinzezx.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              4.0.arinzezx.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x32b5f:$s10: logins
              • 0x325c6:$s11: credential
              • 0x2ebce:$g1: get_Clipboard
              • 0x2ebdc:$g2: get_Keyboard
              • 0x2ebe9:$g3: get_Password
              • 0x2fed0:$g4: get_CtrlKeyDown
              • 0x2fee0:$g5: get_ShiftKeyDown
              • 0x2fef1:$g6: get_AltKeyDown
              4.0.arinzezx.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x302ad:$a13: get_DnsResolver
              • 0x2eac7:$a20: get_LastAccessed
              • 0x30c2b:$a27: set_InternalServerPort
              • 0x30f47:$a30: set_GuidMasterKey
              • 0x2ebce:$a33: get_Clipboard
              • 0x2ebdc:$a34: get_Keyboard
              • 0x2fee0:$a35: get_ShiftKeyDown
              • 0x2fef1:$a36: get_AltKeyDown
              • 0x2ebe9:$a37: get_Password
              • 0x2f690:$a38: get_PasswordHash
              • 0x306ad:$a39: get_DefaultCredentials
              1.2.arinzezx.exe.4787e30.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 19 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: arinzezx.exeJoe Sandbox ML: detected
                Source: 4.0.arinzezx.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 1.2.arinzezx.exe.47f2870.9.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "arinzelog@steuler-kch.org", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua"}
                Source: arinzezx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.19.184.120:443 -> 192.168.2.5:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.5:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 216.58.215.238:443 -> 192.168.2.5:49718 version: TLS 1.2
                Source: arinzezx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Joe Sandbox ViewIP Address: 104.19.184.120 104.19.184.120
                Source: Joe Sandbox ViewIP Address: 153.92.0.100 153.92.0.100
                Source: global trafficHTTP traffic detected: GET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.google.comCookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg
                Source: global trafficHTTP traffic detected: GET /migrate?static=true HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.000webhost.com
                Source: global trafficHTTP traffic detected: GET /ml?continue=https://www.google.com/maps?saddr%3D31.2087496,29.9091634&gl=GB&m=0&pc=m&uxe=eomtm&hl=de&src=1 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: consent.google.comCookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg; __Secure-ENID=6.SE=bAHSQtLrQMWxy_tqz0WaDaeFL1W5VOmOKkO5mBuNXISIweN8ghtdM05hF-gECfwTJ28xI6MWi6sNJZJsO8QjQObRoGTdPzM-68Gkxop6bVdx8jKoV8MxbLdPgIHJvYSyjREMuxUbqTR9T7NbGnUtXMHWrPSNiDAhrFDcYhFn5sM; CONSENT=PENDING+026
                Source: global trafficHTTP traffic detected: GET /?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maps.google.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /livestream/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: can-sat.netai.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maps.google.comConnection: Keep-Alive
                Source: global trafficTCP traffic: 192.168.2.5:49725 -> 91.235.128.141:587
                Source: global trafficTCP traffic: 192.168.2.5:49725 -> 91.235.128.141:587
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 31 Aug 2022 21:48:10 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 7438f8070c269b76-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                Source: arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://YthClZ.com
                Source: arinzezx.exe, 00000001.00000002.368306823.0000000000B74000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.n
                Source: arinzezx.exe, 00000001.00000002.368986456.0000000000E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/5
                Source: arinzezx.exe, 00000001.00000002.368306823.0000000000B74000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/
                Source: arinzezx.exe, 00000001.00000002.368986456.0000000000E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/46
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/5
                Source: arinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/CgC
                Source: arinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/Hx
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/e
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/ions.AddInAdapter.v10.0
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/ll
                Source: arinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/r
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/livestream/tldi
                Source: arinzezx.exe, 00000001.00000002.391809381.000000000AFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://can-sat.netai.net/y
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cp5ua.hyperhost.ua
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: arinzezx.exe, 00000001.00000003.328011792.0000000008042000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.328069691.0000000008044000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.327966259.0000000008040000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wD
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/
                Source: arinzezx.exe, 00000001.00000002.371377972.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/?saddr=31.2087496
                Source: arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?saddr=31.2087496
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: arinzezx.exe, 00000001.00000003.329249971.0000000008034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: arinzezx.exe, 00000001.00000003.329249971.0000000008034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlu
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: arinzezx.exe, 00000001.00000003.331818514.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331395636.0000000008070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers2~
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: arinzezx.exe, 00000001.00000003.331202082.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331229601.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331180508.0000000008070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersAny
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: arinzezx.exe, 00000001.00000003.330821049.0000000008070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerse~
                Source: arinzezx.exe, 00000001.00000003.324250155.000000000804B000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: arinzezx.exe, 00000001.00000003.324211844.000000000804B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comcD
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: arinzezx.exe, 00000001.00000003.329765672.0000000008041000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: arinzezx.exe, 00000001.00000003.324693815.000000000804B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comY
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: arinzezx.exe, 00000004.00000002.590311251.000000000376C000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000004.00000002.589851489.0000000003704000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://DtM6GM1g5LTlJoVP.org
                Source: arinzezx.exe, 00000001.00000002.396430673.000000000B03C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://consent.google.com/
                Source: arinzezx.exe, 00000001.00000002.396163809.000000000B009000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://consent.google.com/ml?continue=https://www.google.com/maps?saddr%3D31.2087496
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.397304814.000000000BAD9000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.362398365.000000000BAD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/ConsentHttp/external
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                Source: arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: arinzezx.exe, 00000001.00000002.396226962.000000000B014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/
                Source: arinzezx.exe, 00000001.00000002.396226962.000000000B014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/X
                Source: arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.391809381.000000000AFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/migrate?static=true
                Source: arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/migrate?static=truec
                Source: arinzezx.exe, 00000001.00000002.391809381.000000000AFAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/migrate?static=truekM
                Source: arinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/migrate?static=truesl
                Source: arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                Source: arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/_
                Source: arinzezx.exe, 00000001.00000002.391736808.000000000AFA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/maps?saddr%3D31.2087496
                Source: arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/maps?saddr=31.2087496
                Source: arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: maps.google.com
                Source: global trafficHTTP traffic detected: GET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.google.comCookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg
                Source: global trafficHTTP traffic detected: GET /migrate?static=true HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.000webhost.com
                Source: global trafficHTTP traffic detected: GET /ml?continue=https://www.google.com/maps?saddr%3D31.2087496,29.9091634&gl=GB&m=0&pc=m&uxe=eomtm&hl=de&src=1 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: consent.google.comCookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg; __Secure-ENID=6.SE=bAHSQtLrQMWxy_tqz0WaDaeFL1W5VOmOKkO5mBuNXISIweN8ghtdM05hF-gECfwTJ28xI6MWi6sNJZJsO8QjQObRoGTdPzM-68Gkxop6bVdx8jKoV8MxbLdPgIHJvYSyjREMuxUbqTR9T7NbGnUtXMHWrPSNiDAhrFDcYhFn5sM; CONSENT=PENDING+026
                Source: global trafficHTTP traffic detected: GET /?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maps.google.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /livestream/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: can-sat.netai.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: maps.google.comConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.19.184.120:443 -> 192.168.2.5:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.5:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 216.58.215.238:443 -> 192.168.2.5:49718 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: C:\Users\user\Desktop\arinzezx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.368803858.0000000000E5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\arinzezx.exeWindow created: window name: CLIPBRDWNDCLASS

                System Summary

                barindex
                Source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: arinzezx.exe PID: 6600, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: arinzezx.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: arinzezx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: arinzezx.exe PID: 6600, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: arinzezx.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01052300
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01051008
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010518A8
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_0105C390
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010522F2
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01050470
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01050480
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01054C30
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01054C40
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01050F58
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01055358
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01055368
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01055508
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_010554F9
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 1_2_01051898
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 4_2_0193F080
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 4_2_01936120
                Source: C:\Users\user\Desktop\arinzezx.exeCode function: 4_2_0193F3C8
                Source: arinzezx.exe, 00000001.00000002.377336443.0000000004375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.397370514.000000000BCA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.372126148.0000000002C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.372126148.0000000002C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMvPjRuRlDFKfQwhEStKRmBHzGSPHPolYc.exe4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMvPjRuRlDFKfQwhEStKRmBHzGSPHPolYc.exe4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000000.318667421.00000000007E6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNoyn.exe6 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.397602264.000000000BCD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.371377972.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.371377972.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.371377972.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: k,\\StringFileInfo\\000004B0\\OriginalFilename vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.397992784.000000000BFD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs arinzezx.exe
                Source: arinzezx.exe, 00000001.00000002.368803858.0000000000E5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs arinzezx.exe
                Source: arinzezx.exe, 00000004.00000002.585115297.00000000014F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs arinzezx.exe
                Source: arinzezx.exe, 00000004.00000000.365778134.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMvPjRuRlDFKfQwhEStKRmBHzGSPHPolYc.exe4 vs arinzezx.exe
                Source: arinzezx.exeBinary or memory string: OriginalFilenameNoyn.exe6 vs arinzezx.exe
                Source: arinzezx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\arinzezx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\arinzezx.exe "C:\Users\user\Desktop\arinzezx.exe"
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exe
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exe
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exe
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exe
                Source: C:\Users\user\Desktop\arinzezx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\arinzezx.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FMJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/2@6/7
                Source: arinzezx.exe, 00000004.00000002.589836319.00000000036FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: arinzezx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\arinzezx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\arinzezx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\arinzezx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: arinzezx.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: C:\Users\user\Desktop\arinzezx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: arinzezx.exeStatic file information: File size 1527808 > 1048576
                Source: arinzezx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: arinzezx.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x172400
                Source: arinzezx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: initial sampleStatic PE information: section name: .text entropy: 7.276869829356131
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6600, type: MEMORYSTR
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAMETSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONS
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\arinzezx.exe TID: 6604Thread sleep time: -45877s >= -30000s
                Source: C:\Users\user\Desktop\arinzezx.exe TID: 6628Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\arinzezx.exe TID: 7100Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\Desktop\arinzezx.exe TID: 7104Thread sleep count: 9765 > 30
                Source: C:\Users\user\Desktop\arinzezx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\arinzezx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\arinzezx.exeWindow / User API: threadDelayed 9765
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\arinzezx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\arinzezx.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\arinzezx.exeThread delayed: delay time: 45877
                Source: C:\Users\user\Desktop\arinzezx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\arinzezx.exeThread delayed: delay time: 922337203685477
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II6VirtualBox Graphics Adapter
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE6HARDWARE\Description\System"SystemBiosVersion
                Source: arinzezx.exe, 00000001.00000003.343464188.000000000B00D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: arinzezx.exe, 00000001.00000002.397992784.000000000BFD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: W7fmmApVmCIQcR3DJ29
                Source: arinzezx.exe, 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUNSYSTEM\ControlSet001\Services\Disk\Enum
                Source: arinzezx.exe, 00000001.00000002.370023698.0000000000F43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWi.net
                Source: C:\Users\user\Desktop\arinzezx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\arinzezx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\arinzezx.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\Desktop\arinzezx.exeMemory written: C:\Users\user\Desktop\arinzezx.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exe
                Source: C:\Users\user\Desktop\arinzezx.exeProcess created: C:\Users\user\Desktop\arinzezx.exe C:\Users\user\Desktop\arinzezx.exe
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Users\user\Desktop\arinzezx.exe VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Users\user\Desktop\arinzezx.exe VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\arinzezx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6600, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6976, type: MEMORYSTR
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\arinzezx.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\arinzezx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\Desktop\arinzezx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\arinzezx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: Yara matchFile source: 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6976, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 4.0.arinzezx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.4787e30.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47be250.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47f2870.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47f2870.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.arinzezx.exe.47be250.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6600, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: arinzezx.exe PID: 6976, type: MEMORYSTR
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation
                Path Interception111
                Process Injection
                1
                Masquerading
                2
                OS Credential Dumping
                211
                Security Software Discovery
                Remote Services1
                Email Collection
                Exfiltration Over Other Network Medium11
                Encrypted Channel
                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools
                111
                Input Capture
                1
                Process Discovery
                Remote Desktop Protocol111
                Input Capture
                Exfiltration Over Bluetooth1
                Non-Standard Port
                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion
                1
                Credentials in Registry
                131
                Virtualization/Sandbox Evasion
                SMB/Windows Admin Shares1
                Archive Collected Data
                Automated Exfiltration3
                Ingress Tool Transfer
                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                Process Injection
                NTDS1
                Application Window Discovery
                Distributed Component Object Model2
                Data from Local System
                Scheduled Transfer3
                Non-Application Layer Protocol
                SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information
                LSA Secrets1
                Remote System Discovery
                SSH1
                Clipboard Data
                Data Transfer Size Limits24
                Application Layer Protocol
                Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Software Packing
                Cached Domain Credentials114
                System Information Discovery
                VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                arinzezx.exe100%Joe Sandbox ML
                No Antivirus matches
                SourceDetectionScannerLabelLinkDownload
                4.0.arinzezx.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://en.wD0%Avira URL Cloudsafe
                http://www.fonts.comcD0%Avira URL Cloudsafe
                http://can-sat.netai.net/livestream/r0%Avira URL Cloudsafe
                https://csp.withgoogle.com/csp/report-to/ConsentHttp/external0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                https://DtM6GM1g5LTlJoVP.org0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://YthClZ.com0%Avira URL Cloudsafe
                http://can-sat.netai.net/y0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://can-sat.netai.net/livestream/Hx0%Avira URL Cloudsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://can-sat.netai.net/livestream/0%Avira URL Cloudsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://can-sat.netai.net/livestream/CgC0%Avira URL Cloudsafe
                http://can-sat.netai.n0%Avira URL Cloudsafe
                http://can-sat.netai.net/livestream/50%Avira URL Cloudsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://can-sat.netai.net/livestream/ions.AddInAdapter.v10.00%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://can-sat.netai.net/livestream/tldi0%Avira URL Cloudsafe
                http://can-sat.netai.net/50%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.htmlu0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.tiro.comY0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://can-sat.netai.net/livestream/460%Avira URL Cloudsafe
                http://can-sat.netai.net/livestream/e0%Avira URL Cloudsafe
                http://can-sat.netai.net/livestream/ll0%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                can-sat.netai.net
                153.92.0.100
                truefalse
                  unknown
                  www.000webhost.com
                  104.19.184.120
                  truefalse
                    high
                    cp5ua.hyperhost.ua
                    91.235.128.141
                    truefalse
                      high
                      consent.google.com
                      216.58.215.238
                      truefalse
                        high
                        maps.google.com
                        142.250.203.110
                        truefalse
                          high
                          www.google.com
                          142.250.203.100
                          truefalse
                            high
                            NameMaliciousAntivirus DetectionReputation
                            https://www.000webhost.com/migrate?static=truefalse
                              high
                              https://consent.google.com/ml?continue=https://www.google.com/maps?saddr%3D31.2087496,29.9091634&gl=GB&m=0&pc=m&uxe=eomtm&hl=de&src=1false
                                high
                                https://www.google.com/maps?saddr=31.2087496,29.9091634&z=10false
                                  high
                                  http://maps.google.com/?saddr=31.2087496,29.9091634&z=10false
                                    high
                                    http://can-sat.netai.net/livestream/false
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://maps.google.com/maps?saddr=31.2087496,29.9091634&z=10false
                                      high
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.000webhost.com/migrate?static=trueslarinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://127.0.0.1:HTTP/1.1arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        low
                                        http://en.wDarinzezx.exe, 00000001.00000003.328011792.0000000008042000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.328069691.0000000008044000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.327966259.0000000008040000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.fontbureau.com/designersGarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.fontbureau.com/designersAnyarinzezx.exe, 00000001.00000003.331202082.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331229601.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331180508.0000000008070000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.fonts.comcDarinzezx.exe, 00000001.00000003.324211844.000000000804B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://can-sat.netai.net/livestream/rarinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.fontbureau.com/designers/?arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://csp.withgoogle.com/csp/report-to/ConsentHttp/externalarinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.397304814.000000000BAD9000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.362398365.000000000BAD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.founder.com.cn/cn/bThearinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://ocsp.sectigo.com0arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.fontbureau.com/designers?arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://DtM6GM1g5LTlJoVP.orgarinzezx.exe, 00000004.00000002.590311251.000000000376C000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000004.00000002.589851489.0000000003704000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.tiro.comarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://cp5ua.hyperhost.uaarinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.fontbureau.com/designersarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.goodfont.co.krarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://www.000webhost.com/migrate?static=truekMarinzezx.exe, 00000001.00000002.391809381.000000000AFAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://maps.google.com/?saddr=31.2087496arinzezx.exe, 00000001.00000002.371377972.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://YthClZ.comarinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://can-sat.netai.net/yarinzezx.exe, 00000001.00000002.391809381.000000000AFAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://consent.google.com/arinzezx.exe, 00000001.00000002.396430673.000000000B03C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.sajatypeworks.comarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.typography.netDarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.founder.com.cn/cn/cThearinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htmarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://can-sat.netai.net/livestream/Hxarinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://fontfabrik.comarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://www.000webhost.com/migrate?static=truecarinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://DynDns.comDynDNSnamejidpasswordPsi/Psiarinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.galapagosdesign.com/DPleasearinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.ascendercorp.com/typedesigners.htmlarinzezx.exe, 00000001.00000003.329249971.0000000008034000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fonts.comarinzezx.exe, 00000001.00000003.324250155.000000000804B000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://www.sandoll.co.krarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.urwpp.deDPleasearinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://www.000webhost.com/Xarinzezx.exe, 00000001.00000002.396226962.000000000B014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://www.zhongyicts.com.cnarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.sakkal.comarinzezx.exe, 00000001.00000003.329765672.0000000008041000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://can-sat.netai.net/livestream/CgCarinzezx.exe, 00000001.00000002.395742771.000000000AFED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://can-sat.netai.narinzezx.exe, 00000001.00000002.368306823.0000000000B74000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://can-sat.netai.net/livestream/5arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.apache.org/licenses/LICENSE-2.0arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://www.fontbureau.comarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://sectigo.com/CPS0arinzezx.exe, 00000004.00000002.590184555.0000000003749000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://can-sat.netai.net/livestream/ions.AddInAdapter.v10.0arinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    https://consent.google.com/ml?continue=https://www.google.com/maps?saddr%3D31.2087496arinzezx.exe, 00000001.00000002.396163809.000000000B009000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwarinzezx.exe, 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://maps.google.com/arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://can-sat.netai.net/livestream/tldiarinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        http://can-sat.netai.net/5arinzezx.exe, 00000001.00000002.368986456.0000000000E90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        http://www.fontbureau.com/designerse~arinzezx.exe, 00000001.00000003.330821049.0000000008070000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://www.carterandcone.comlarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://www.fontbureau.com/designers/cabarga.htmlNarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.fontbureau.com/designers2~arinzezx.exe, 00000001.00000003.331818514.0000000008070000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000003.331395636.0000000008070000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://www.ascendercorp.com/typedesigners.htmluarinzezx.exe, 00000001.00000003.329249971.0000000008034000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              http://www.founder.com.cn/cnarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              http://www.fontbureau.com/designers/frere-jones.htmlarinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://www.tiro.comYarinzezx.exe, 00000001.00000003.324693815.000000000804B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                unknown
                                                                                http://www.jiyu-kobo.co.jp/arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                http://maps.google.com/maps?saddr=31.2087496arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://www.000webhost.com/arinzezx.exe, 00000001.00000002.396226962.000000000B014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://can-sat.netai.net/livestream/46arinzezx.exe, 00000001.00000002.368986456.0000000000E90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    unknown
                                                                                    http://can-sat.netai.net/livestream/earinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    unknown
                                                                                    http://www.fontbureau.com/designers8arinzezx.exe, 00000001.00000002.386131393.0000000009342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://www.google.com/_arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://can-sat.netai.net/livestream/llarinzezx.exe, 00000001.00000002.392284063.000000000AFCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        unknown
                                                                                        https://www.google.com/arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://www.google.com/maps?saddr=31.2087496arinzezx.exe, 00000001.00000002.396211933.000000000B010000.00000004.00000800.00020000.00000000.sdmp, arinzezx.exe, 00000001.00000002.396320126.000000000B022000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://www.google.com/maps?saddr%3D31.2087496arinzezx.exe, 00000001.00000002.391736808.000000000AFA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs
                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              216.58.215.238
                                                                                              consent.google.comUnited States
                                                                                              15169GOOGLEUSfalse
                                                                                              104.19.184.120
                                                                                              www.000webhost.comUnited States
                                                                                              13335CLOUDFLARENETUSfalse
                                                                                              142.250.203.100
                                                                                              www.google.comUnited States
                                                                                              15169GOOGLEUSfalse
                                                                                              153.92.0.100
                                                                                              can-sat.netai.netGermany
                                                                                              204915AWEXUSfalse
                                                                                              142.250.203.110
                                                                                              maps.google.comUnited States
                                                                                              15169GOOGLEUSfalse
                                                                                              91.235.128.141
                                                                                              cp5ua.hyperhost.uaUkraine
                                                                                              15626ITLASUAfalse
                                                                                              IP
                                                                                              192.168.2.1
                                                                                              Joe Sandbox Version:35.0.0 Citrine
                                                                                              Analysis ID:694556
                                                                                              Start date and time:2022-08-31 23:46:48 +02:00
                                                                                              Joe Sandbox Product:CloudBasic
                                                                                              Overall analysis duration:0h 11m 36s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:light
                                                                                              Sample file name:arinzezx.exe
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                              Number of analysed new started processes analysed:18
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • HDC enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.spyw.evad.winEXE@5/2@6/7
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              HDC Information:Failed
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 94%
                                                                                              • Number of executed functions: 0
                                                                                              • Number of non-executed functions: 0
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe
                                                                                              • Adjust boot time
                                                                                              • Enable AMSI
                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                              • TCP Packets have been reduced to 100
                                                                                              • Excluded domains from analysis (whitelisted): eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • VT rate limit hit for: arinzezx.exe
                                                                                              TimeTypeDescription
                                                                                              23:48:05API Interceptor666x Sleep call for process: arinzezx.exe modified
                                                                                              No context
                                                                                              No context
                                                                                              No context
                                                                                              No context
                                                                                              No context
                                                                                              Process:C:\Users\user\Desktop\arinzezx.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):1421
                                                                                              Entropy (8bit):5.3458551807012835
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE49E4184F0:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz8
                                                                                              MD5:DD8C1D6EF5A3F10AA0CAC71550CF950A
                                                                                              SHA1:9EBD88472EFFCE6D3CB76038B1F18091D6380083
                                                                                              SHA-256:A711E30BAC1BD29BF2FFA7FDA00D2F01E1978DA22F2F941E877B5C3A8476F17F
                                                                                              SHA-512:2130B3804715A279E40B085702552BCB647AA5F0ED39FD1E90A8F963C8EB6D736190CB37147427C1A9CCA1AB0AF30BAB62649E045116334DF52923F0A7406A6F
                                                                                              Malicious:true
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                              Process:C:\Users\user\Desktop\arinzezx.exe
                                                                                              File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):162
                                                                                              Entropy (8bit):4.43530643106624
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu
                                                                                              MD5:4F8E702CC244EC5D4DE32740C0ECBD97
                                                                                              SHA1:3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF
                                                                                              SHA-256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
                                                                                              SHA-512:21047FEA5269FEE75A2A187AA09316519E35068CB2F2F76CFAF371E5224445E9D5C98497BD76FB9608D2B73E9DAC1A3F5BFADFDC4623C479D53ECF93D81D3C9F
                                                                                              Malicious:false
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview:<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..
                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Entropy (8bit):7.2761539654732506
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                              File name:arinzezx.exe
                                                                                              File size:1527808
                                                                                              MD5:314c678d85f7927a42f34797627532e1
                                                                                              SHA1:1a1695ee1411cc14754cc92e14a6243ee7af81d1
                                                                                              SHA256:e5b9cc21b8de77e68e03e202609511b8b57d1ea278d6cd0fe0b7fb454f1d7432
                                                                                              SHA512:40b9a9373cd8590cb70d8ba289d4fe0d83d5dbff81a6b6c17baf03142f4627fdeee36547a15b5b4d2b77c650ea74001ee10abe98ec6f6ba8333e9cdf57f2ca09
                                                                                              SSDEEP:24576:H+tsF5jvq3uXN7+ZZ56+ncKxRGXUO+C+0/suliuM:ec5jvt856+ncaO+CV/sa
                                                                                              TLSH:BD655B9C7650B2AFC817CE76CAA45C24F6A0B56B430BE743A05326ED9D0D69BCF150F2
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{l.c..............0..$...*.......B... ...`....@.. ....................................@................................
                                                                                              Icon Hash:f0e4d068c4f4d470
                                                                                              Entrypoint:0x57422e
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x630F6C7B [Wed Aug 31 14:13:15 2022 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:4
                                                                                              OS Version Minor:0
                                                                                              File Version Major:4
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:4
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                              Instruction
                                                                                              jmp dword ptr [00402000h]
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1741e00x4b.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1760000x2620.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x17a0000xc.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x20000x1722340x172400False0.692158618543214data7.276869829356131IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rsrc0x1760000x26200x2800False0.8513671875data7.217519667394241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0x17a0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                              NameRVASizeTypeLanguageCountry
                                                                                              RT_ICON0x1761300x1fcbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                              RT_GROUP_ICON0x1780fc0x14data
                                                                                              RT_VERSION0x1781100x320data
                                                                                              RT_MANIFEST0x1784300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                              DLLImport
                                                                                              mscoree.dll_CorExeMain
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Aug 31, 2022 23:48:04.576775074 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:04.577162981 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:04.593622923 CEST8049714142.250.203.110192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.593744993 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:04.595390081 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:04.612171888 CEST8049714142.250.203.110192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.699640989 CEST8049714142.250.203.110192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.699734926 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:04.709311008 CEST8049715153.92.0.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.709398031 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:04.734621048 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:04.738118887 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:04.755947113 CEST8049714142.250.203.110192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.866863012 CEST8049715153.92.0.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.866895914 CEST8049715153.92.0.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.867017984 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:06.168876886 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:06.168926001 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:06.169018030 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:06.386010885 CEST8049714142.250.203.110192.168.2.5
                                                                                              Aug 31, 2022 23:48:06.386142969 CEST4971480192.168.2.5142.250.203.110
                                                                                              Aug 31, 2022 23:48:06.574127913 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:06.574150085 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:06.627569914 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:06.627779961 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:09.230206966 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:09.230243921 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:09.230318069 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:09.866502047 CEST8049715153.92.0.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:09.866643906 CEST4971580192.168.2.5153.92.0.100
                                                                                              Aug 31, 2022 23:48:09.873178959 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:09.873193979 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:09.930548906 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:09.930721998 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:10.719584942 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:10.719602108 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.719846010 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:10.719861984 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.719871998 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.719922066 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:10.720099926 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.720168114 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:10.723875046 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:10.724464893 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:10.747525930 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.747577906 CEST44349716104.19.184.120192.168.2.5
                                                                                              Aug 31, 2022 23:48:10.747678041 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:10.747699022 CEST49716443192.168.2.5104.19.184.120
                                                                                              Aug 31, 2022 23:48:10.767368078 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.369606972 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.369786978 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.369798899 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.369852066 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.381283998 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.381340981 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.381407976 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.381418943 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.402407885 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.402427912 CEST44349717142.250.203.100192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.402451038 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.402487993 CEST49717443192.168.2.5142.250.203.100
                                                                                              Aug 31, 2022 23:48:12.445267916 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.445334911 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.445437908 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.495666981 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.495704889 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.558326006 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.558475971 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.560187101 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.560255051 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.591414928 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.591439009 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.591686964 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.591770887 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.593329906 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.635369062 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.653110981 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.653152943 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.653192043 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.653218031 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.653233051 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.653261900 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.654133081 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.654172897 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.654202938 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.654211998 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.654249907 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.654275894 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.655402899 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.655468941 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.655528069 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.655570984 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.656781912 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.656836033 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.656836987 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.656868935 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.656898022 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.656919003 CEST49718443192.168.2.5216.58.215.238
                                                                                              Aug 31, 2022 23:48:12.657917023 CEST44349718216.58.215.238192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.657993078 CEST49718443192.168.2.5216.58.215.238
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Aug 31, 2022 23:48:04.422735929 CEST4917753192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:04.450783968 CEST53491778.8.8.8192.168.2.5
                                                                                              Aug 31, 2022 23:48:04.527575016 CEST6145253192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:04.558106899 CEST53614528.8.8.8192.168.2.5
                                                                                              Aug 31, 2022 23:48:06.056193113 CEST6532353192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:06.078233957 CEST53653238.8.8.8192.168.2.5
                                                                                              Aug 31, 2022 23:48:07.941476107 CEST5148453192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:07.969182014 CEST53514848.8.8.8192.168.2.5
                                                                                              Aug 31, 2022 23:48:12.412324905 CEST6344653192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:12.440073013 CEST53634468.8.8.8192.168.2.5
                                                                                              Aug 31, 2022 23:48:33.922821045 CEST6097553192.168.2.58.8.8.8
                                                                                              Aug 31, 2022 23:48:33.950745106 CEST53609758.8.8.8192.168.2.5
                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                              Aug 31, 2022 23:48:04.422735929 CEST192.168.2.58.8.8.80x7761Standard query (0)maps.google.comA (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:04.527575016 CEST192.168.2.58.8.8.80xb174Standard query (0)can-sat.netai.netA (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:06.056193113 CEST192.168.2.58.8.8.80x59e3Standard query (0)www.000webhost.comA (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:07.941476107 CEST192.168.2.58.8.8.80xa65dStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:12.412324905 CEST192.168.2.58.8.8.80xf296Standard query (0)consent.google.comA (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:33.922821045 CEST192.168.2.58.8.8.80xe3ebStandard query (0)cp5ua.hyperhost.uaA (IP address)IN (0x0001)
                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                              Aug 31, 2022 23:48:04.450783968 CEST8.8.8.8192.168.2.50x7761No error (0)maps.google.com142.250.203.110A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:04.558106899 CEST8.8.8.8192.168.2.50xb174No error (0)can-sat.netai.net153.92.0.100A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:06.078233957 CEST8.8.8.8192.168.2.50x59e3No error (0)www.000webhost.com104.19.184.120A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:06.078233957 CEST8.8.8.8192.168.2.50x59e3No error (0)www.000webhost.com104.19.185.120A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:07.969182014 CEST8.8.8.8192.168.2.50xa65dNo error (0)www.google.com142.250.203.100A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:12.440073013 CEST8.8.8.8192.168.2.50xf296No error (0)consent.google.com216.58.215.238A (IP address)IN (0x0001)
                                                                                              Aug 31, 2022 23:48:33.950745106 CEST8.8.8.8192.168.2.50xe3ebNo error (0)cp5ua.hyperhost.ua91.235.128.141A (IP address)IN (0x0001)
                                                                                              • www.google.com
                                                                                              • www.000webhost.com
                                                                                              • consent.google.com
                                                                                              • maps.google.com
                                                                                              • can-sat.netai.net
                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              0192.168.2.549717142.250.203.100443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              1192.168.2.549716104.19.184.120443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              2192.168.2.549718216.58.215.238443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              3192.168.2.549714142.250.203.11080C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Aug 31, 2022 23:48:04.595390081 CEST822OUTGET /?saddr=31.2087496,29.9091634&z=10 HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Host: maps.google.com
                                                                                              Connection: Keep-Alive
                                                                                              Aug 31, 2022 23:48:04.699640989 CEST823INHTTP/1.1 302 Found
                                                                                              Location: http://maps.google.com/maps?saddr=31.2087496,29.9091634&z=10
                                                                                              Cache-Control: private
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Date: Wed, 31 Aug 2022 21:48:04 GMT
                                                                                              Server: gws
                                                                                              Content-Length: 261
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Set-Cookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg; expires=Mon, 27-Feb-2023 21:48:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                              Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6d 61 70 73 3f 73 61 64 64 72 3d 33 31 2e 32 30 38 37 34 39 36 2c 32 39 2e 39 30 39 31 36 33 34 26 61 6d 70 3b 7a 3d 31 30 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                              Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://maps.google.com/maps?saddr=31.2087496,29.9091634&amp;z=10">here</A>.</BODY></HTML>
                                                                                              Aug 31, 2022 23:48:04.738118887 CEST824OUTGET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Host: maps.google.com
                                                                                              Connection: Keep-Alive
                                                                                              Aug 31, 2022 23:48:06.386010885 CEST884INHTTP/1.1 302 Found
                                                                                              Location: https://www.google.com:443/maps?saddr=31.2087496,29.9091634&z=10
                                                                                              Cache-Control: private
                                                                                              Timing-Allow-Origin: https://www.google.com
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-RbpRIc1wZu3MpKqYcMBkxg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/maps-tactile
                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/maps-tactile"}]}
                                                                                              Date: Wed, 31 Aug 2022 21:48:06 GMT
                                                                                              Server: gws
                                                                                              Content-Length: 265
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 3a 34 34 33 2f 6d 61 70 73 3f 73 61 64 64 72 3d 33 31 2e 32 30 38 37 34 39 36 2c 32 39 2e 39 30 39 31 36 33 34 26 61 6d 70 3b 7a 3d 31 30 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                              Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com:443/maps?saddr=31.2087496,29.9091634&amp;z=10">here</A>.</BODY></HTML>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              4192.168.2.549715153.92.0.10080C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Aug 31, 2022 23:48:04.734621048 CEST824OUTGET /livestream/ HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Host: can-sat.netai.net
                                                                                              Connection: Keep-Alive
                                                                                              Aug 31, 2022 23:48:04.866895914 CEST836INHTTP/1.1 301 Moved Permanently
                                                                                              Server: nginx
                                                                                              Date: Wed, 31 Aug 2022 21:48:04 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 162
                                                                                              Connection: keep-alive
                                                                                              Location: https://www.000webhost.com/migrate?static=true
                                                                                              X-Frame-Options: sameorigin
                                                                                              X-Content-Type-Options: nosniff
                                                                                              X-XSS-Protection: 1; mode=block
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              0192.168.2.549717142.250.203.100443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2022-08-31 21:48:10 UTC0OUTGET /maps?saddr=31.2087496,29.9091634&z=10 HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Connection: Keep-Alive
                                                                                              Host: www.google.com
                                                                                              Cookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg
                                                                                              2022-08-31 21:48:12 UTC1INHTTP/1.1 302 Found
                                                                                              Location: https://consent.google.com/ml?continue=https://www.google.com/maps?saddr%3D31.2087496,29.9091634&gl=GB&m=0&pc=m&uxe=eomtm&hl=de&src=1
                                                                                              Cache-Control: private
                                                                                              Timing-Allow-Origin: https://www.google.com
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-eYZYv7vRwthqp9Ru1E-35A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/maps-tactile
                                                                                              Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                              Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/maps-tactile"}]}
                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                              Date: Wed, 31 Aug 2022 21:48:12 GMT
                                                                                              Server: gws
                                                                                              Content-Length: 354
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Set-Cookie: __Secure-ENID=6.SE=bAHSQtLrQMWxy_tqz0WaDaeFL1W5VOmOKkO5mBuNXISIweN8ghtdM05hF-gECfwTJ28xI6MWi6sNJZJsO8QjQObRoGTdPzM-68Gkxop6bVdx8jKoV8MxbLdPgIHJvYSyjREMuxUbqTR9T7NbGnUtXMHWrPSNiDAhrFDcYhFn5sM; expires=Sun, 01-Oct-2023 14:06:30 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                              Set-Cookie: CONSENT=PENDING+026; expires=Fri, 30-Aug-2024 21:48:10 GMT; path=/; domain=.google.com; Secure
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                              Connection: close
                                                                                              2022-08-31 21:48:12 UTC2INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 6e 73 65 6e 74 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6d 6c 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6d 61 70 73 3f 73 61 64 64 72 25 33 44 33 31 2e 32 30 38 37 34 39 36 2c 32
                                                                                              Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://consent.google.com/ml?continue=https://www.google.com/maps?saddr%3D31.2087496,2


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              1192.168.2.549716104.19.184.120443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2022-08-31 21:48:10 UTC0OUTGET /migrate?static=true HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Connection: Keep-Alive
                                                                                              Host: www.000webhost.com
                                                                                              2022-08-31 21:48:10 UTC0INHTTP/1.1 403 Forbidden
                                                                                              Date: Wed, 31 Aug 2022 21:48:10 GMT
                                                                                              Content-Type: text/plain; charset=UTF-8
                                                                                              Content-Length: 16
                                                                                              Connection: close
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              Referrer-Policy: same-origin
                                                                                              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 7438f8070c269b76-FRA
                                                                                              alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                              2022-08-31 21:48:10 UTC1INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                                              Data Ascii: error code: 1020


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              2192.168.2.549718216.58.215.238443C:\Users\user\Desktop\arinzezx.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2022-08-31 21:48:12 UTC2OUTGET /ml?continue=https://www.google.com/maps?saddr%3D31.2087496,29.9091634&gl=GB&m=0&pc=m&uxe=eomtm&hl=de&src=1 HTTP/1.1
                                                                                              Accept: */*
                                                                                              Accept-Language: en-US
                                                                                              Accept-Encoding: gzip, deflate
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                              Connection: Keep-Alive
                                                                                              Host: consent.google.com
                                                                                              Cookie: AEC=AakniGOUVp4jXHHD5YhzAajOatKevD6jDoHGMxHhgsCt6t1rStwPaLBqLg; __Secure-ENID=6.SE=bAHSQtLrQMWxy_tqz0WaDaeFL1W5VOmOKkO5mBuNXISIweN8ghtdM05hF-gECfwTJ28xI6MWi6sNJZJsO8QjQObRoGTdPzM-68Gkxop6bVdx8jKoV8MxbLdPgIHJvYSyjREMuxUbqTR9T7NbGnUtXMHWrPSNiDAhrFDcYhFn5sM; CONSENT=PENDING+026
                                                                                              2022-08-31 21:48:12 UTC3INHTTP/1.1 200 OK
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                              Date: Wed, 31 Aug 2022 21:48:12 GMT
                                                                                              Content-Security-Policy: script-src 'nonce-RRrq1WooZd6hewPTbB8fdA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/ConsentHttp/cspreport;worker-src 'self'
                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                              Cross-Origin-Resource-Policy: same-site
                                                                                              Report-To: {"group":"ConsentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ConsentHttp/external"}]}
                                                                                              Content-Security-Policy-Report-Only: require-trusted-types-for 'script';report-uri /_/ConsentHttp/cspreport
                                                                                              Cross-Origin-Opener-Policy: unsafe-none; report-to="ConsentHttp"
                                                                                              Server: ESF
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                              Accept-Ranges: none
                                                                                              Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                                                                              Connection: close
                                                                                              Transfer-Encoding: chunked
                                                                                              2022-08-31 21:48:12 UTC5INData Raw: 33 36 64 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 22 20 64 69 72 3d 22 6c 74 72 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 44 66 6f 69 79 73 4c 6d 6a 6f 4a 56 67 4f 78 6f 4d 61 43 45 72 67 22 3e 0a 61 2c 20 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 2c 20 61 3a 61 63 74 69 76 65 2c 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 31 61 37 33 65 38 3b 0a 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 52 6f 62 6f 74 6f 44 72 61 66 74 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 74 65 78 74 2d
                                                                                              Data Ascii: 36da<!DOCTYPE html><html lang="de" dir="ltr"><head><style nonce="DfoiysLmjoJVgOxoMaCErg">a, a:link, a:visited, a:active, a:hover { color: #1a73e8; text-decoration: none;}body { font-family: Roboto,RobotoDraft,Helvetica,Arial,sans-serif; text-
                                                                                              2022-08-31 21:48:12 UTC6INData Raw: 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 68 65 69 67 68 74 3a 20 33 36 70 78 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 20 34 70 78 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 38 70 78 20 32 34 70 78 3b 0a 7d 0a 2e 68 61 69 72 6c 69 6e 65 62 75 74 74 6f 6e 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 70 78 3b 0a 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 64 61 64 63 65 30 3b 0a 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0a 20 20 6d 61 78 2d 68 65 69 67 68 74 3a 20
                                                                                              Data Ascii: Helvetica,Arial,sans-serif; font-size: 14px; font-weight: 500; height: 36px; margin: 12px 4px 0; padding: 8px 24px;}.hairlinebutton { background-color: #fff; border-width: 1px; border-color: #dadce0; border-style: solid; max-height:
                                                                                              2022-08-31 21:48:12 UTC7INData Raw: 64 74 68 3a 20 33 36 30 70 78 3b 0a 7d 0a 0a 2f 2a 2a 20 4e 61 72 72 6f 77 20 73 63 72 65 65 6e 20 28 66 6f 72 20 65 78 61 6d 70 6c 65 20 61 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 29 2e 20 2a 2f 0a 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 34 38 30 70 78 29 20 7b 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 38 70 78 20 31 34 70 78 3b 0a 20 20 7d 0a 20 20 2e 66 6f 6f 74 65 72 20 66 6f 72 6d 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 70 78 3b 0a 20 20 7d 0a 20 20 2e 69 6d 67 43 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 36 70 78 3b 0a 20 20 7d 0a 20 20 62 75 74 74 6f 6e 2c 20 2e 62 75 74 74 6f 6e 20 7b 0a
                                                                                              Data Ascii: dth: 360px;}/** Narrow screen (for example a mobile device). */@media only screen and (max-width: 480px) { body { margin: 18px 14px; } .footer form { margin-bottom: 3px; } .imgContainer { min-width: 96px; } button, .button {
                                                                                              2022-08-31 21:48:12 UTC9INData Raw: 61 65 3d 63 62 2d 65 6f 6d 74 6d 22 20 63 6c 61 73 73 3d 22 62 61 73 65 62 75 74 74 6f 6e 20 68 61 69 72 6c 69 6e 65 62 75 74 74 6f 6e 22 3e 41 6e 6d 65 6c 64 65 6e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 36 38 78 32 38 64 70 2e 70 6e 67 22 20 73 72 63 73 65 74 3d 22 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 36 38 78 32 38 64 70 2e 70 6e 67 20
                                                                                              Data Ascii: ae=cb-eomtm" class="basebutton hairlinebutton">Anmelden</a></div><div class="box"><img src="//www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_68x28dp.png" srcset="//www.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_68x28dp.png
                                                                                              2022-08-31 21:48:12 UTC10INData Raw: 68 72 65 6d 20 53 74 61 6e 64 6f 72 74 20 62 65 65 69 6e 66 6c 75 73 73 74 2e 20 4e 69 63 68 74 20 70 65 72 73 6f 6e 61 6c 69 73 69 65 72 74 65 20 57 65 72 62 75 6e 67 20 77 69 72 64 20 76 6f 6e 20 64 65 6e 20 49 6e 68 61 6c 74 65 6e 2c 20 64 69 65 20 53 69 65 20 73 69 63 68 20 67 65 72 61 64 65 20 61 6e 73 65 68 65 6e 2c 20 75 6e 64 20 49 68 72 65 6d 20 75 6e 67 65 66 c3 a4 68 72 65 6e 20 53 74 61 6e 64 6f 72 74 20 62 65 65 69 6e 66 6c 75 73 73 74 2e 20 50 65 72 73 6f 6e 61 6c 69 73 69 65 72 74 65 20 49 6e 68 61 6c 74 65 20 75 6e 64 20 57 65 72 62 75 6e 67 20 6b c3 b6 6e 6e 65 6e 20 61 75 63 68 20 72 65 6c 65 76 61 6e 74 65 72 65 20 45 72 67 65 62 6e 69 73 73 65 2c 20 45 6d 70 66 65 68 6c 75 6e 67 65 6e 20 75 6e 64 20 69 6e 64 69 76 69 64 75 65 6c 6c 65
                                                                                              Data Ascii: hrem Standort beeinflusst. Nicht personalisierte Werbung wird von den Inhalten, die Sie sich gerade ansehen, und Ihrem ungefhren Standort beeinflusst. Personalisierte Inhalte und Werbung knnen auch relevantere Ergebnisse, Empfehlungen und individuelle
                                                                                              2022-08-31 21:48:12 UTC12INData Raw: 4f 53 54 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 62 6c 22 20 76 61 6c 75 65 3d 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 75 69 73 65 72 76 65 72 5f 32 30 32 32 30 38 32 38 2e 31 34 5f 70 30 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 78 22 20 76 61 6c 75 65 3d 22 38 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 67 6c 22 20 76 61 6c 75 65 3d 22 47 42 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 6d 22 20 76 61 6c 75 65 3d 22 30 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20
                                                                                              Data Ascii: OST" style="display:inline;"><input type="hidden" name="bl" value="boq_identityfrontenduiserver_20220828.14_p0"><input type="hidden" name="x" value="8"><input type="hidden" name="gl" value="GB"><input type="hidden" name="m" value="0"><input type="hidden"
                                                                                              2022-08-31 21:48:12 UTC13INData Raw: 75 65 3d 22 41 6c 6c 65 20 61 6b 7a 65 70 74 69 65 72 65 6e 22 20 63 6c 61 73 73 3d 22 62 61 73 65 62 75 74 74 6f 6e 20 62 75 74 74 6f 6e 20 73 65 61 72 63 68 42 75 74 74 6f 6e 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 41 6c 6c 65 20 61 6b 7a 65 70 74 69 65 72 65 6e 22 2f 3e 3c 2f 66 6f 72 6d 3e 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 6e 73 65 6e 74 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 61 76 65 22 20 6d 65 74 68 6f 64 3d 22 50 4f 53 54 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 62 6c 22 20 76 61 6c 75 65 3d 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 75 69 73 65 72 76 65 72 5f 32 30 32 32 30
                                                                                              Data Ascii: ue="Alle akzeptieren" class="basebutton button searchButton" aria-label="Alle akzeptieren"/></form><form action="https://consent.google.com/save" method="POST" style="display:block;"><input type="hidden" name="bl" value="boq_identityfrontenduiserver_20220
                                                                                              2022-08-31 21:48:12 UTC15INData Raw: 22 65 74 22 3e 65 65 73 74 69 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 65 6e 2d 47 42 22 3e 45 6e 67 6c 69 73 68 26 6e 62 73 70 3b 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 65 6e 22 3e 45 6e 67 6c 69 73 68 26 6e 62 73 70 3b 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 65 73 22 3e 45 73 70 61 c3 b1 6f 6c 26 6e 62 73 70 3b 28 45 73 70 61 c3 b1 61 29 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 65 73 2d 34 31 39 22 3e 45 73 70 61 c3 b1 6f 6c 26 6e 62 73 70 3b 28 4c 61 74 69 6e 6f 61 6d c3 a9 72 69 63 61 29 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e
                                                                                              Data Ascii: "et">eesti</option><option value="en-GB">English&nbsp;(United Kingdom)</option><option value="en">English&nbsp;(United States)</option><option value="es">Espaol&nbsp;(Espaa)</option><option value="es-419">Espaol&nbsp;(Latinoamrica)</option><option
                                                                                              2022-08-31 21:48:12 UTC16INData Raw: ce bb ce b7 ce bd ce b9 ce ba ce ac 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 62 65 22 3e d0 b1 d0 b5 d0 bb d0 b0 d1 80 d1 83 d1 81 d0 ba d0 b0 d1 8f 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 62 67 22 3e d0 b1 d1 8a d0 bb d0 b3 d0 b0 d1 80 d1 81 d0 ba d0 b8 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 6b 79 22 3e d0 ba d1 8b d1 80 d0 b3 d1 8b d0 b7 d1 87 d0 b0 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 6b 6b 22 3e d2 9b d0 b0 d0 b7 d0 b0 d2 9b 20 d1 82 d1 96 d0 bb d1 96 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 6d 6b 22 3e d0 bc d0 b0 d0 ba d0 b5 d0 b4 d0 be d0 bd d1 81 d0 ba d0 b8 3c 2f 6f 70 74 69 6f 6e 3e 3c
                                                                                              Data Ascii: </option><option value="be"></option><option value="bg"></option><option value="ky"></option><option value="kk"> </option><option value="mk"></option><
                                                                                              2022-08-31 21:48:12 UTC18INData Raw: 22 3e ed 95 9c ea b5 ad ec 96 b4 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 6a 61 22 3e e6 97 a5 e6 9c ac e8 aa 9e 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 7a 68 2d 43 4e 22 3e e7 ae 80 e4 bd 93 e4 b8 ad e6 96 87 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 7a 68 2d 54 57 22 3e e7 b9 81 e9 ab 94 e4 b8 ad e6 96 87 3c 2f 6f 70 74 69 6f 6e 3e 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 7a 68 2d 48 4b 22 3e e7 b9 81 e9 ab 94 e4 b8 ad e6 96 87 26 6e 62 73 70 3b 28 e9 a6 99 e6 b8 af 29 3c 2f 6f 70 74 69 6f 6e 3e 3c 2f 73 65 6c 65 63 74 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 6f 6c 64 68 6c 22 20 76 61 6c 75 65 3d 22 64 65 22 3e 3c
                                                                                              Data Ascii: "></option><option value="ja"></option><option value="zh-CN"></option><option value="zh-TW"></option><option value="zh-HK">&nbsp;()</option></select><input type="hidden" name="oldhl" value="de"><
                                                                                              2022-08-31 21:48:12 UTC18INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                                              Aug 31, 2022 23:48:34.138493061 CEST5874972591.235.128.141192.168.2.5220-cp5ua.hyperhost.ua ESMTP Exim 4.95 #2 Thu, 01 Sep 2022 00:48:33 +0300
                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                              220 and/or bulk e-mail.
                                                                                              Aug 31, 2022 23:48:34.138813019 CEST49725587192.168.2.591.235.128.141EHLO 528110
                                                                                              Aug 31, 2022 23:48:34.191039085 CEST5874972591.235.128.141192.168.2.5250-cp5ua.hyperhost.ua Hello 528110 [102.129.143.57]
                                                                                              250-SIZE 52428800
                                                                                              250-8BITMIME
                                                                                              250-PIPELINING
                                                                                              250-PIPE_CONNECT
                                                                                              250-STARTTLS
                                                                                              250 HELP
                                                                                              Aug 31, 2022 23:48:34.191276073 CEST49725587192.168.2.591.235.128.141STARTTLS
                                                                                              Aug 31, 2022 23:48:34.246081114 CEST5874972591.235.128.141192.168.2.5220 TLS go ahead

                                                                                              Click to jump to process

                                                                                              Target ID:1
                                                                                              Start time:23:47:52
                                                                                              Start date:31/08/2022
                                                                                              Path:C:\Users\user\Desktop\arinzezx.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\arinzezx.exe"
                                                                                              Imagebase:0x670000
                                                                                              File size:1527808 bytes
                                                                                              MD5 hash:314C678D85F7927A42F34797627532E1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:.Net C# or VB.NET
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.376461043.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000002.381932594.0000000004787000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                              Reputation:low

                                                                                              Target ID:3
                                                                                              Start time:23:48:13
                                                                                              Start date:31/08/2022
                                                                                              Path:C:\Users\user\Desktop\arinzezx.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Users\user\Desktop\arinzezx.exe
                                                                                              Imagebase:0x410000
                                                                                              File size:1527808 bytes
                                                                                              MD5 hash:314C678D85F7927A42F34797627532E1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low

                                                                                              Target ID:4
                                                                                              Start time:23:48:14
                                                                                              Start date:31/08/2022
                                                                                              Path:C:\Users\user\Desktop\arinzezx.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Users\user\Desktop\arinzezx.exe
                                                                                              Imagebase:0xf60000
                                                                                              File size:1527808 bytes
                                                                                              MD5 hash:314C678D85F7927A42F34797627532E1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:.Net C# or VB.NET
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000004.00000000.365108165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.587010252.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:low

                                                                                              No disassembly