Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
l9qmoY93Ed.exe

Overview

General Information

Sample Name:l9qmoY93Ed.exe
Analysis ID:708248
MD5:fb561127230e7104e2df440f2712581e
SHA1:62741306fbb863c7def4a3cc21175a3badf59f14
SHA256:48929d6ac22fe9d2edee0e1ea483b143786d3b0965be5c771eb6a2d90018df21
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • l9qmoY93Ed.exe (PID: 5956 cmdline: "C:\Users\user\Desktop\l9qmoY93Ed.exe" MD5: FB561127230E7104E2DF440F2712581E)
    • l9qmoY93Ed.exe (PID: 3276 cmdline: C:\Users\user\Desktop\l9qmoY93Ed.exe MD5: FB561127230E7104E2DF440F2712581E)
    • l9qmoY93Ed.exe (PID: 4460 cmdline: C:\Users\user\Desktop\l9qmoY93Ed.exe MD5: FB561127230E7104E2DF440F2712581E)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "yugolog@gthltd.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
          • 0x1742c:$x1: $%SMTPDV$
          • 0x17442:$x2: $#TheHashHere%&
          • 0x187cc:$x3: %FTPDV$
          • 0x18894:$x4: $%TelegramDv$
          • 0x14d3d:$x5: KeyLoggerEventArgs
          • 0x150d3:$x5: KeyLoggerEventArgs
          • 0x1883c:$m1: | Snake Keylogger
          • 0x188f4:$m1: | Snake Keylogger
          • 0x18a48:$m1: | Snake Keylogger
          • 0x18b6e:$m1: | Snake Keylogger
          • 0x18cc8:$m1: | Snake Keylogger
          • 0x187f0:$m2: Clipboard Logs ID
          • 0x189fe:$m2: Screenshot Logs ID
          • 0x18b12:$m2: keystroke Logs ID
          • 0x18cfe:$m3: SnakePW
          • 0x189d6:$m4: \SnakeKeylogger\
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.0.l9qmoY93Ed.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1b362:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1a54b:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x1a992:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1bb13:$a5: \Kometa\User Data\Default\Login Data
          2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.0.l9qmoY93Ed.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 32 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.5132.226.8.16949699802842536 09/23/22-08:12:18.468779
                  SID:2842536
                  Source Port:49699
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: l9qmoY93Ed.exeReversingLabs: Detection: 57%
                  Source: l9qmoY93Ed.exeVirustotal: Detection: 32%Perma Link
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "yugolog@gthltd.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}
                  Source: l9qmoY93Ed.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: l9qmoY93Ed.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B63D1h2_2_016B6111
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B7507h2_2_016B7196
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016BFDE9h2_2_016BFB30
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B7DC7h2_2_016B7B08
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B8687h2_2_016B83C9
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016BF539h2_2_016BF280
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B5F70h2_2_016B5587
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B8227h2_2_016B7F68
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016BEC8Ah2_2_016BE758
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016BF0E1h2_2_016BEE28
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B6B10h2_2_016B66F8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016BF991h2_2_016BF6D8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B7967h2_2_016B76A8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B6B10h2_2_016B6A3E
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_016B4AA8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 016B6B10h2_2_016B66E8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06954D29h2_2_06954A80
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695E529h2_2_0695E280
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06958149h2_2_06957EA0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06955181h2_2_06954ED8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695E981h2_2_0695E6D8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 069585A1h2_2_069582F8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695E0A9h2_2_0695DE00
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 069548D1h2_2_06954628
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06957CF1h2_2_06957A48
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06955A31h2_2_06955788
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695F231h2_2_0695EF88
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06955E89h2_2_06955BE0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695F689h2_2_0695F3E0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 069555D9h2_2_06955330
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695EDD9h2_2_0695EB30
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 069589F9h2_2_06958750
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06956739h2_2_06956490
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06953771h2_2_069534C8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06956B91h2_2_069568E8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 069562E1h2_2_06956038
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 0695FAE1h2_2_0695F838
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06953319h2_2_06953070
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06957441h2_2_06957198
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06954479h2_2_069541D0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06957899h2_2_069575F0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06953BC9h2_2_06953920
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06956FE9h2_2_06956D40
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then jmp 06954021h2_2_06953D78
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_0695C336
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_0695C00F
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_0695C020

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.5:49699 -> 132.226.8.169:80
                  May check the online IP address of the machine
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeDNS query: name: checkip.dyndns.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewASN Name: UTMEMUS UTMEMUS
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: l9qmoY93Ed.exe, 00000002.00000002.561894079.00000000033A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: l9qmoY93Ed.exe, 00000002.00000002.561852057.0000000003396000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000002.561894079.00000000033A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: l9qmoY93Ed.exe, 00000002.00000002.561562050.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: l9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: l9qmoY93Ed.exe, 00000002.00000002.561852057.0000000003396000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org4
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: l9qmoY93Ed.exe, 00000002.00000002.561562050.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: l9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.295803605.0000000005719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300236379.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300033996.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300279098.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300201259.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300304945.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300439789.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300401470.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300167619.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300970999.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301036004.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300970999.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301036004.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300458982.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300547173.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300639622.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300498619.0000000005714000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF6
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300236379.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300279098.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300201259.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300304945.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300167619.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comQ
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300889022.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300928525.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comW.TTFZ
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdu
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301531125.0000000005721000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitud
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301648142.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301531125.0000000005721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comituo
                  Source: l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comld
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiv
                  Source: l9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comttco
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: l9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
                  Source: l9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnr
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301970940.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: l9qmoY93Ed.exe, 00000000.00000003.301970940.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/u
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299297786.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299409033.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299635821.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299527509.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299179854.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298493164.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298293705.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298815241.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298986768.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299739771.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
                  Source: l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u
                  Source: l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/liqu
                  Source: l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sv-s?
                  Source: l9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.292934561.0000000005723000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: l9qmoY93Ed.exe, 00000000.00000003.297522887.0000000005713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com-s
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: l9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: l9qmoY93Ed.exe, 00000000.00000002.315393634.0000000000B20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: l9qmoY93Ed.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 0_2_00D4C1740_2_00D4C174
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 0_2_00D4E7780_2_00D4E778
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 0_2_00D4E76B0_2_00D4E76B
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B61112_2_016B6111
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B71962_2_016B7196
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BFB302_2_016BFB30
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B7B082_2_016B7B08
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B83C92_2_016B83C9
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B6B882_2_016B6B88
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BF2802_2_016BF280
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B55872_2_016B5587
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BA45A2_2_016BA45A
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B2C292_2_016B2C29
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B7F682_2_016B7F68
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BE7582_2_016BE758
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BEE282_2_016BEE28
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BF6D82_2_016BF6D8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B76A82_2_016B76A8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B6B782_2_016B6B78
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B4AA82_2_016B4AA8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B4A982_2_016B4A98
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BDFE02_2_016BDFE0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016BDFD02_2_016BDFD0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06954A802_2_06954A80
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695E2802_2_0695E280
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06957EA02_2_06957EA0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06954ED82_2_06954ED8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695E6D82_2_0695E6D8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069582F82_2_069582F8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695DE002_2_0695DE00
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069546282_2_06954628
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06957A482_2_06957A48
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695C3982_2_0695C398
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069557882_2_06955788
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695EF882_2_0695EF88
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06958BA82_2_06958BA8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06955BE02_2_06955BE0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695F3E02_2_0695F3E0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069553302_2_06955330
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695EB302_2_0695EB30
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069587502_2_06958750
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695B7702_2_0695B770
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069564902_2_06956490
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695D0982_2_0695D098
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069534C82_2_069534C8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069568E82_2_069568E8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069560382_2_06956038
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695F8382_2_0695F838
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069500402_2_06950040
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069530702_2_06953070
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069571982_2_06957198
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069541D02_2_069541D0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069575F02_2_069575F0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069539202_2_06953920
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06956D402_2_06956D40
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06953D782_2_06953D78
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06957E902_2_06957E90
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695B6C92_2_0695B6C9
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06954EC82_2_06954EC8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695E6C82_2_0695E6C8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069582E82_2_069582E8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069546192_2_06954619
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06957A3A2_2_06957A3A
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695E2712_2_0695E271
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06954A702_2_06954A70
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695F3D02_2_0695F3D0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06955BDA2_2_06955BDA
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069553212_2_06955321
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695EB202_2_0695EB20
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069587412_2_06958741
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695EF792_2_0695EF79
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069557782_2_06955778
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069564822_2_06956482
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069534B82_2_069534B8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069568D82_2_069568D8
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695C00F2_2_0695C00F
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695C0202_2_0695C020
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069500282_2_06950028
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695F8282_2_0695F828
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695602A2_2_0695602A
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069530622_2_06953062
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069571882_2_06957188
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069541C02_2_069541C0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_0695DDF02_2_0695DDF0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069575E02_2_069575E0
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_069539102_2_06953910
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06956D362_2_06956D36
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_06953D682_2_06953D68
                  Source: l9qmoY93Ed.exe, 00000000.00000002.317339858.00000000028CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.315393634.0000000000B20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316575659.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.332212556.0000000007060000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000000.289991126.0000000000530000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegUab.exeF vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.317300560.00000000028C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000000.00000002.325864527.0000000003811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000002.00000002.560575264.00000000016D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000002.00000000.312581315.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exe, 00000002.00000002.560030934.00000000011F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exeBinary or memory string: OriginalFilenamegUab.exeF vs l9qmoY93Ed.exe
                  Source: l9qmoY93Ed.exeReversingLabs: Detection: 57%
                  Source: l9qmoY93Ed.exeVirustotal: Detection: 32%
                  Source: l9qmoY93Ed.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe "C:\Users\user\Desktop\l9qmoY93Ed.exe"
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exe
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exe
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exeJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exeJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\l9qmoY93Ed.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/1
                  Source: l9qmoY93Ed.exe, 00000002.00000002.562272546.000000000437D000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000002.561952303.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000002.562011210.00000000033CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: l9qmoY93Ed.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, ??ufffd??/z?u0026??.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, u00ab???ufffd/u058fufffd???.csCryptographic APIs: 'TransformFinalBlock'
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: l9qmoY93Ed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: l9qmoY93Ed.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: l9qmoY93Ed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: l9qmoY93Ed.exe, order_management_system.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.l9qmoY93Ed.exe.470000.0.unpack, order_management_system.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B8F09 push FFFFFF8Bh; iretd 2_2_016B8F0D
                  Source: l9qmoY93Ed.exeStatic PE information: 0x8F2DF49B [Tue Feb 13 16:53:47 2046 UTC]
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exe TID: 5952Thread sleep time: -41226s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exe TID: 5056Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeThread delayed: delay time: 41226Jump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VIRTUALBOXDSOFTWARE\VMware, Inc.\VMware ToolsTSOFTWARE\Oracle\VirtualBox Guest Additions
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE6HARDWARE\Description\System"SystemBiosVersionNSYSTEM\ControlSet001\Services\Disk\Enum
                  Source: l9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.332212556.0000000007060000.00000004.08000000.00040000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.325864527.0000000003811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: XKDFefinoUNVIucqeMu
                  Source: l9qmoY93Ed.exe, 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: l9qmoY93Ed.exe, 00000002.00000002.560704618.0000000001705000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeCode function: 2_2_016B6B88 LdrInitializeThunk,2_2_016B6B88
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, u00ab???ufffd/u058fufffd???.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                  Source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, ?????/????ufffd.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?W???', 'GetProcAddress@kernel32')
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeMemory written: C:\Users\user\Desktop\l9qmoY93Ed.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exeJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeProcess created: C:\Users\user\Desktop\l9qmoY93Ed.exe C:\Users\user\Desktop\l9qmoY93Ed.exeJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Users\user\Desktop\l9qmoY93Ed.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Users\user\Desktop\l9qmoY93Ed.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\l9qmoY93Ed.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.0.l9qmoY93Ed.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3ab04c0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.39f4b10.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.l9qmoY93Ed.exe.3a16530.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 5956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: l9qmoY93Ed.exe PID: 4460, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts1
                  Native API                  		Path Interception111
                  Process Injection                  		1
                  Masquerading                  		2
                  OS Credential Dumping                  		11
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		Exfiltration Over Bluetooth1
                  Ingress Tool Transfer                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                  Virtualization/Sandbox Evasion                  		Security Account Manager21
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		Automated Exfiltration2
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection                  		NTDS1
                  Remote System Discovery                  		Distributed Component Object Model2
                  Data from Local System                  		Scheduled Transfer12
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                  Software Packing                  		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  l9qmoY93Ed.exe58%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  l9qmoY93Ed.exe32%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  2.0.l9qmoY93Ed.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File

                  Domains

                  SourceDetectionScannerLabelLink
                  checkip.dyndns.com0%VirustotalBrowse
                  checkip.dyndns.org0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.fontbureau.comsiv0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.fontbureau.comessed0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://checkip.dyndns.org40%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cnn0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://www.founder.com.cn/cnr0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/Z0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/sv-s?0%Avira URL Cloudsafe
                  http://www.fontbureau.comalsd0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
                  http://www.galapagosdesign.com/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
                  http://www.agfamonotype.0%URL Reputationsafe
                  http://www.fontbureau.comQ0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/u0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/u0%URL Reputationsafe
                  http://www.fontbureau.comld0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.fontbureau.comitud0%URL Reputationsafe
                  http://www.fontbureau.comW.TTFZ0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/u0%Avira URL Cloudsafe
                  http://www.fontbureau.comdu0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/liqu0%Avira URL Cloudsafe
                  http://www.fontbureau.comF60%Avira URL Cloudsafe
                  http://www.fontbureau.comituo0%Avira URL Cloudsafe
                  http://www.sakkal.com-s0%Avira URL Cloudsafe
                  http://www.fontbureau.comttco0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  checkip.dyndns.com
                  		132.226.8.169
                  		truetrueunknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/true
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.fontbureau.com/designersGl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThel9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.telegram.org/botl9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers?l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comsivl9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.coml9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comessedl9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.goodfont.co.krl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/~l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.coml9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.292934561.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://checkip.dyndns.org4l9qmoY93Ed.exe, 00000002.00000002.561852057.0000000003396000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cThel9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnnl9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.html9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.coml9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comF6l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/6l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/sv-s?l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/ul9qmoY93Ed.exe, 00000000.00000003.301970940.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://checkip.dyndns.org/ql9qmoY93Ed.exe, 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnrl9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/liqul9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleasel9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.ascendercorp.com/typedesigners.htmll9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/(l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.coml9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://checkip.dyndns.coml9qmoY93Ed.exe, 00000002.00000002.561894079.00000000033A3000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleasel9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namel9qmoY93Ed.exe, 00000002.00000002.561562050.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sakkal.coml9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp/Zl9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comalsdl9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comdul9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Zl9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.295803605.0000000005719000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.coml9qmoY93Ed.exe, 00000000.00000003.300236379.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300033996.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300279098.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300201259.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301285913.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300304945.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301221727.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301189630.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300439789.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301161542.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300401470.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300167619.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/l9qmoY93Ed.exe, 00000000.00000003.301970940.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlll9qmoY93Ed.exe, 00000000.00000003.300970999.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301036004.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/Xl9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.agfamonotype.l9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comQl9qmoY93Ed.exe, 00000000.00000003.300236379.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300093885.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300279098.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300201259.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300304945.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300167619.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comituol9qmoY93Ed.exe, 00000000.00000003.301648142.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301531125.0000000005721000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://checkip.dyndns.orgl9qmoY93Ed.exe, 00000002.00000002.561852057.0000000003396000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000002.00000002.561894079.00000000033A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/ul9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296874899.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comW.TTFZl9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300889022.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300928525.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/?l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297235573.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298070835.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297142586.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297403640.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297869518.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comll9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sakkal.com-sl9qmoY93Ed.exe, 00000000.00000003.297522887.0000000005713000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cnl9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.295119538.0000000005702000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmll9qmoY93Ed.exe, 00000000.00000003.300458982.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300547173.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300639622.0000000005714000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300498619.0000000005714000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/ul9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296722937.0000000005720000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmll9qmoY93Ed.exe, 00000000.00000003.300970999.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301100656.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301126907.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301036004.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.comldl9qmoY93Ed.exe, 00000000.00000003.300479313.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300516891.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300666113.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.300565272.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/l9qmoY93Ed.exe, 00000000.00000003.297560036.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299297786.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299409033.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299635821.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299527509.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296535042.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297785759.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299179854.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297376094.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298493164.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298293705.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297127049.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296983801.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297622066.0000000005722000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.297331514.0000000005718000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298815241.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296510690.0000000005724000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.298986768.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.299739771.0000000005723000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.296843045.0000000005722000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8l9qmoY93Ed.exe, 00000000.00000002.330594445.0000000006992000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comttcol9qmoY93Ed.exe, 00000000.00000003.314708775.0000000005708000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comitudl9qmoY93Ed.exe, 00000000.00000003.301531125.0000000005721000.00000004.00000800.00020000.00000000.sdmp, l9qmoY93Ed.exe, 00000000.00000003.301332824.0000000005723000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              132.226.8.169
                                              		checkip.dyndns.comUnited States
                                              		16989UTMEMUStrue

                                              General Information

                                              Joe Sandbox Version:36.0.0 Rainbow Opal
                                              Analysis ID:708248
                                              Start date and time:2022-09-23 08:11:09 +02:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 8m 55s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:l9qmoY93Ed.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:6
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@5/1@2/1
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 101
                                              • Number of non-executed functions: 7
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              08:12:08API Interceptor1x Sleep call for process: l9qmoY93Ed.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              132.226.8.16921092022_receipt.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              New Order.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              KREDI.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              TI1021730205.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              vk2dtGkvDY.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              scan_invoice_21092022.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              Swift.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              343795a.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              RFQ 6674 -21.9.2022.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              invoice.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              12220173387_20220825_13363111_Hesap0zeti.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              INQ-2022-09-21-AQI3N847211-INQ0290.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              pernyataan saat ini.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              payment Term.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              BC_613438_684665794.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              INGRID.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              DNcAYFiYDp.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              DHL airwaybill.exeGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              22-391-002458.jsGet hashmaliciousBrowse
                                              • checkip.dyndns.org/
                                              MV GNV CRISTAL.xllGet hashmaliciousBrowse
                                              • checkip.dyndns.org/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              checkip.dyndns.com22588SANZI.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              Arrival_Percel No00929887355..exeGet hashmaliciousBrowse
                                              • 193.122.6.168
                                              IMG-1300466.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              Specifications_Details_RFQ.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              INV012000.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              Wtughrrlt.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              rWLEI3BVkx.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              qwOpaDGcHJ.exeGet hashmaliciousBrowse
                                              • 193.122.6.168
                                              4b9SFahCuA.exeGet hashmaliciousBrowse
                                              • 193.122.6.168
                                              specification.docGet hashmaliciousBrowse
                                              • 193.122.6.168
                                              Order#6875480.xlsxGet hashmaliciousBrowse
                                              • 158.101.44.242
                                              49HDD3uFb8.exeGet hashmaliciousBrowse
                                              • 158.101.44.242
                                              RFQ pdf.exeGet hashmaliciousBrowse
                                              • 193.122.130.0
                                              BBVA-Confirming Liquidaci#Ufffdn por Factorizaci#Ufffdn de Cr#Ufffdditos.vbsGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              Specifications_Details_30200_RFQ.exeGet hashmaliciousBrowse
                                              • 158.101.44.242
                                              21092022_receipt.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              New Order.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              KREDI.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              4nz1Kr0NLW.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              JD22 SEPT0 7 Shipping documents.exeGet hashmaliciousBrowse
                                              • 132.226.247.73

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              UTMEMUSIMG-1300466.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              Specifications_Details_RFQ.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              INV012000.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              Wtughrrlt.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              BBVA-Confirming Liquidaci#Ufffdn por Factorizaci#Ufffdn de Cr#Ufffdditos.vbsGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              21092022_receipt.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              New Order.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              KREDI.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              4nz1Kr0NLW.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              JD22 SEPT0 7 Shipping documents.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              TI1021730205.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              vk2dtGkvDY.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              scan_invoice_21092022.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              Swift.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              343795a.exeGet hashmaliciousBrowse
                                              • 132.226.8.169
                                              MV GNV CRISTAL_992002992020-NEW-22-10-2022_PDF.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              IMG_20220921_0004.xlsxGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              0x000600000001da06-134.dat.exeGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              Factura.vbsGet hashmaliciousBrowse
                                              • 132.226.247.73
                                              RFQ 6674 -21.9.2022.exeGet hashmaliciousBrowse
                                              • 132.226.8.169

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\l9qmoY93Ed.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1308
                                              Entropy (8bit):5.345811588615766
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                              MD5:2E016B886BDB8389D2DD0867BE55F87B
                                              SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                              SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                              SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):6.754111708993234
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:l9qmoY93Ed.exe
                                              File size:793088
                                              MD5:fb561127230e7104e2df440f2712581e
                                              SHA1:62741306fbb863c7def4a3cc21175a3badf59f14
                                              SHA256:48929d6ac22fe9d2edee0e1ea483b143786d3b0965be5c771eb6a2d90018df21
                                              SHA512:69762dd766e01737a7adf88e415f6e912aa8ba6de3c8cb8592dc19430669074fa8b1c941747874d707990632ecd21de51da7a507695d0d407c4c03532403fbf3
                                              SSDEEP:12288:Hn+v8EgdeU9UgB8pAamPJ4+Y34kj3xAZ0XxfbVDfhxg:pEgYCU9pAama+0dO2VDfs
                                              TLSH:3DF4CF22D7AA4F4BD01162B89491C5B457AEEF05E02EC2476FEA7C9FF0767918221F13
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-...............0......J......>.... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:ce9c9496e4949c9e

                                              Static PE Info

                                              General

                                              Entrypoint:0x4bec3e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x8F2DF49B [Tue Feb 13 16:53:47 2046 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xbebec0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x4658.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xbebd00x1c.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xbcc440xbce00False0.6627957478491066data6.7643112515498895IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xc00000x46580x4800False0.5441080729166666data6.17580418567749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xc60000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0xc00e80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                              RT_GROUP_ICON0xc43100x14data
                                              RT_VERSION0xc43240x334data

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              192.168.2.5132.226.8.16949699802842536 09/23/22-08:12:18.468779TCP2842536ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check4969980192.168.2.5132.226.8.169

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 23, 2022 08:12:17.439915895 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:12:17.741672993 CEST8049699132.226.8.169192.168.2.5
                                              Sep 23, 2022 08:12:17.741903067 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:12:18.468779087 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:12:18.766530991 CEST8049699132.226.8.169192.168.2.5
                                              Sep 23, 2022 08:12:18.767304897 CEST8049699132.226.8.169192.168.2.5
                                              Sep 23, 2022 08:12:18.829407930 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:13:23.764321089 CEST8049699132.226.8.169192.168.2.5
                                              Sep 23, 2022 08:13:23.764427900 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:13:58.761035919 CEST4969980192.168.2.5132.226.8.169
                                              Sep 23, 2022 08:13:59.056631088 CEST8049699132.226.8.169192.168.2.5

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 23, 2022 08:12:17.231950045 CEST5689453192.168.2.58.8.8.8
                                              Sep 23, 2022 08:12:17.252614021 CEST53568948.8.8.8192.168.2.5
                                              Sep 23, 2022 08:12:17.333827972 CEST5029553192.168.2.58.8.8.8
                                              Sep 23, 2022 08:12:17.357783079 CEST53502958.8.8.8192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 23, 2022 08:12:17.231950045 CEST192.168.2.58.8.8.80xebd1Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.333827972 CEST192.168.2.58.8.8.80x440Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.252614021 CEST8.8.8.8192.168.2.50xebd1No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                              Sep 23, 2022 08:12:17.357783079 CEST8.8.8.8192.168.2.50x440No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • checkip.dyndns.org

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.549699132.226.8.16980C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              TimestampkBytes transferredDirectionData
                                              Sep 23, 2022 08:12:18.468779087 CEST102OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Sep 23, 2022 08:12:18.767304897 CEST102INHTTP/1.1 200 OK
                                              Date: Fri, 23 Sep 2022 06:12:18 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 34 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.43</body></html>


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:08:12:00
                                              Start date:23/09/2022
                                              Path:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\l9qmoY93Ed.exe"
                                              Imagebase:0x470000
                                              File size:793088 bytes
                                              MD5 hash:FB561127230E7104E2DF440F2712581E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.316885128.000000000285F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.328169397.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low

                                              General

                                              Target ID:1
                                              Start time:08:12:09
                                              Start date:23/09/2022
                                              Path:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              Imagebase:0x100000
                                              File size:793088 bytes
                                              MD5 hash:FB561127230E7104E2DF440F2712581E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              General

                                              Target ID:2
                                              Start time:08:12:10
                                              Start date:23/09/2022
                                              Path:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\l9qmoY93Ed.exe
                                              Imagebase:0xfa0000
                                              File size:793088 bytes
                                              MD5 hash:FB561127230E7104E2DF440F2712581E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000000.312260843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:9.9%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:96
                                                Total number of Limit Nodes:6
                                                execution_graph 13581 d440d0 13582 d440e2 13581->13582 13583 d440ee 13582->13583 13587 d441e0 13582->13587 13592 d43874 13583->13592 13585 d4410d 13588 d441e4 13587->13588 13596 d442d0 13588->13596 13600 d442e0 13588->13600 13593 d4387f 13592->13593 13608 d45870 13593->13608 13595 d46a8a 13595->13585 13598 d442d4 13596->13598 13597 d443e4 13597->13597 13598->13597 13604 d43cac 13598->13604 13602 d442e2 13600->13602 13601 d443e4 13601->13601 13602->13601 13603 d43cac CreateActCtxA 13602->13603 13603->13601 13605 d45370 CreateActCtxA 13604->13605 13607 d45433 13605->13607 13609 d4587b 13608->13609 13612 d458b0 13609->13612 13611 d46c5d 13611->13595 13613 d458bb 13612->13613 13616 d458e0 13613->13616 13615 d46d3a 13615->13611 13617 d458eb 13616->13617 13620 d45910 13617->13620 13619 d46e2a 13619->13615 13621 d4591b 13620->13621 13623 d4753e 13621->13623 13626 d49478 13621->13626 13622 d4757c 13622->13619 13623->13622 13630 d4b5b9 13623->13630 13635 d494b0 13626->13635 13639 d494af 13626->13639 13627 d4948e 13627->13623 13632 d4b5bc 13630->13632 13631 d4b60d 13631->13622 13632->13631 13669 d4b778 13632->13669 13673 d4b768 13632->13673 13643 d495a0 13635->13643 13650 d495a8 13635->13650 13636 d494bf 13636->13627 13640 d494bf 13639->13640 13641 d495a0 2 API calls 13639->13641 13642 d495a8 2 API calls 13639->13642 13640->13627 13641->13640 13642->13640 13644 d495a4 13643->13644 13645 d495d3 13644->13645 13657 d49830 13644->13657 13661 d49823 13644->13661 13645->13636 13646 d497d0 GetModuleHandleW 13646->13645 13647 d495cb 13647->13645 13647->13646 13651 d495bb 13650->13651 13652 d495d3 13651->13652 13655 d49830 LoadLibraryExW 13651->13655 13656 d49823 LoadLibraryExW 13651->13656 13652->13636 13653 d497d0 GetModuleHandleW 13653->13652 13654 d495cb 13654->13652 13654->13653 13655->13654 13656->13654 13659 d49844 13657->13659 13658 d49869 13658->13647 13659->13658 13665 d48900 13659->13665 13662 d4982c 13661->13662 13663 d48900 LoadLibraryExW 13662->13663 13664 d49869 13662->13664 13663->13664 13664->13647 13666 d49a10 LoadLibraryExW 13665->13666 13668 d49a89 13666->13668 13668->13658 13671 d4b785 13669->13671 13670 d4b7bf 13670->13631 13671->13670 13677 d4a27c 13671->13677 13675 d4b774 13673->13675 13674 d4b7bf 13674->13631 13675->13674 13676 d4a27c 3 API calls 13675->13676 13676->13674 13678 d4a287 13677->13678 13680 d4c4b8 13678->13680 13681 d4bea4 13678->13681 13682 d4beaf 13681->13682 13683 d45910 3 API calls 13682->13683 13684 d4c527 13683->13684 13687 d4e2dc 13684->13687 13688 d4c560 13687->13688 13689 d4e2f5 13687->13689 13688->13680 13691 d4e730 LoadLibraryExW GetModuleHandleW 13689->13691 13692 d4e72b LoadLibraryExW GetModuleHandleW 13689->13692 13690 d4e32d 13691->13690 13692->13690 13693 d4b890 GetCurrentProcess 13694 d4b903 13693->13694 13695 d4b90a GetCurrentThread 13693->13695 13694->13695 13696 d4b947 GetCurrentProcess 13695->13696 13697 d4b940 13695->13697 13698 d4b97d 13696->13698 13697->13696 13699 d4b9a5 GetCurrentThreadId 13698->13699 13700 d4b9d6 13699->13700 13701 d4bab8 13702 d4baba DuplicateHandle 13701->13702 13703 d4bb4e 13702->13703

                                                Executed Functions

                                                Function 00D4B880 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00D4B8F0
                                                • GetCurrentThread.KERNEL32 ref: 00D4B92D
                                                • GetCurrentProcess.KERNEL32 ref: 00D4B96A
                                                • GetCurrentThreadId.KERNEL32 ref: 00D4B9C3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 1eb8623cf01404d34647275dabfe27a86a0052a1a047ce05d447dc6cbb5f3a14
                                                • Instruction ID: a14b7f2d97782e612a3c3614b09f12a4b62a04ce705b773315fa563cc8c66425
                                                • Opcode Fuzzy Hash: 1eb8623cf01404d34647275dabfe27a86a0052a1a047ce05d447dc6cbb5f3a14
                                                • Instruction Fuzzy Hash: B75177B49016488FDB10CFAAC548BEEBBF0EF48314F24845AE059A7351C7749989CF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4B890 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 22 d4b890-d4b901 GetCurrentProcess 23 d4b903-d4b909 22->23 24 d4b90a-d4b93e GetCurrentThread 22->24 23->24 25 d4b947-d4b97b GetCurrentProcess 24->25 26 d4b940-d4b946 24->26 27 d4b984-d4b99c 25->27 28 d4b97d-d4b983 25->28 26->25 40 d4b99f call d4be30 27->40 41 d4b99f call d4ba40 27->41 28->27 32 d4b9a5-d4b9d4 GetCurrentThreadId 33 d4b9d6-d4b9dc 32->33 34 d4b9dd-d4ba3f 32->34 33->34 40->32 41->32
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00D4B8F0
                                                • GetCurrentThread.KERNEL32 ref: 00D4B92D
                                                • GetCurrentProcess.KERNEL32 ref: 00D4B96A
                                                • GetCurrentThreadId.KERNEL32 ref: 00D4B9C3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 7ee0e0bbd764cbd1613c16b1e4b983e7170821876a85a3d8859fc5c854529ac9
                                                • Instruction ID: 95245a47d498234323c61056b4f4eab3efe70aba1db78900bbb47cbaa559ec42
                                                • Opcode Fuzzy Hash: 7ee0e0bbd764cbd1613c16b1e4b983e7170821876a85a3d8859fc5c854529ac9
                                                • Instruction Fuzzy Hash: EE5167B4D016488FDB10CFAAC648BDEBBF0EF48314F24845AE459A7750C774A988CF66
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D495A8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 42 d495a8-d495b0 43 d495bb-d495bd 42->43 44 d495b6 call d4889c 42->44 45 d495d3-d495d7 43->45 46 d495bf 43->46 44->43 47 d495d9-d495e3 45->47 48 d495eb-d4962c 45->48 100 d495c5 call d49830 46->100 101 d495c5 call d49823 46->101 47->48 53 d4962e-d49636 48->53 54 d49639-d49647 48->54 49 d495cb-d495cd 49->45 50 d49708-d49782 49->50 90 d49784-d49785 50->90 91 d49786 50->91 53->54 56 d49649-d4964e 54->56 57 d4966b-d4966d 54->57 59 d49650-d49657 call d488a8 56->59 60 d49659 56->60 58 d49670-d49677 57->58 63 d49684-d4968b 58->63 64 d49679-d49681 58->64 62 d4965b-d49669 59->62 60->62 62->58 67 d4968d-d49695 63->67 68 d49698-d496a1 call d488b8 63->68 64->63 67->68 73 d496a3-d496ab 68->73 74 d496ae-d496b3 68->74 73->74 75 d496b5-d496bc 74->75 76 d496d1-d496de 74->76 75->76 78 d496be-d496ce call d488c8 call d488d8 75->78 82 d496e0-d496fe 76->82 83 d49701-d49707 76->83 78->76 82->83 90->91 92 d49804-d49818 90->92 93 d49787-d49789 91->93 94 d4978a-d497c8 91->94 93->94 95 d497d0-d497fb GetModuleHandleW 94->95 96 d497ca-d497cd 94->96 95->92 98 d497fd-d49803 95->98 96->95 98->92 100->49 101->49
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00D497EE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 03359ca30e547f419c06468d35f21421c9390acf0cb128e5eb999aab8a7032af
                                                • Instruction ID: 43765068ff809d2e8814ab861711e541c5ff3bf9c230ecd74b73ad745b0a6bec
                                                • Opcode Fuzzy Hash: 03359ca30e547f419c06468d35f21421c9390acf0cb128e5eb999aab8a7032af
                                                • Instruction Fuzzy Hash: 50710370A00B058FDB24DF2AD55169BB7F1FF88314F048A29D48AD7A40DB75E8498FA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D45364 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 102 d45364-d45366 103 d45368-d45369 102->103 104 d4536a 102->104 103->104 105 d4536c 104->105 106 d4536e 104->106 105->106 107 d45370-d45371 106->107 108 d45372-d45431 CreateActCtxA 106->108 107->108 110 d45433-d45439 108->110 111 d4543a-d45494 108->111 110->111 118 d45496-d45499 111->118 119 d454a3-d454a7 111->119 118->119 120 d454b8 119->120 121 d454a9-d454b5 119->121 122 d454b9 120->122 121->120 122->122
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c204f9dd992918222f8277b25f1c0541405e2af1c251a425fdcdc4fa82ef9e02
                                                • Instruction ID: add2c74216e64be7b4d3dcb9a6394a4e2d5c0b951fe05725a47db586045c0dd2
                                                • Opcode Fuzzy Hash: c204f9dd992918222f8277b25f1c0541405e2af1c251a425fdcdc4fa82ef9e02
                                                • Instruction Fuzzy Hash: 4E4115B1C00618CFDB20CFA9D8447DEBBB5BF48304F248069D408AB355DB75698ACFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D43CAC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 124 d43cac-d45431 CreateActCtxA 128 d45433-d45439 124->128 129 d4543a-d45494 124->129 128->129 136 d45496-d45499 129->136 137 d454a3-d454a7 129->137 136->137 138 d454b8 137->138 139 d454a9-d454b5 137->139 140 d454b9 138->140 139->138 140->140
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00D45421
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: df4256deeb174836cceb32f02c7f8f85299b202cce9f8e51d08d7407390b9742
                                                • Instruction ID: f30d63a6acee6a2d5119706afeb85a3cbe508d299c8ff00169b38f7e64b0b1ff
                                                • Opcode Fuzzy Hash: df4256deeb174836cceb32f02c7f8f85299b202cce9f8e51d08d7407390b9742
                                                • Instruction Fuzzy Hash: DF41E3B1C00619CFDB24CFA9D8447DEBBB5BF48308F248069D419AB255DB756989CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4BAB0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 142 d4bab0-d4bab2 143 d4bab4 142->143 144 d4bab6 142->144 143->144 145 d4bab8-d4bab9 144->145 146 d4baba-d4bb4c DuplicateHandle 144->146 145->146 147 d4bb55-d4bb72 146->147 148 d4bb4e-d4bb54 146->148 148->147
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D4BB3F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: b3b5956fe3e137725c781ddd8fab29f904a016988357aade7a2b8016b871be78
                                                • Instruction ID: 9e37a913c59e97fbe1ada5c58392aa86617c22eb4179411c69a86c34263c0b47
                                                • Opcode Fuzzy Hash: b3b5956fe3e137725c781ddd8fab29f904a016988357aade7a2b8016b871be78
                                                • Instruction Fuzzy Hash: A421E3B59002089FDB10CFA9D985BEEBBF8FB58324F14801AE954A3310D374A955CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4BAB8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 162 d4bab8-d4bb4c DuplicateHandle 164 d4bb55-d4bb72 162->164 165 d4bb4e-d4bb54 162->165 165->164
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D4BB3F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: e4e6008a9c669041bc6f9c032c1fd9d4b42c622c8bee0bad53ea7cbcd0cf0599
                                                • Instruction ID: 895f6420fb54e34af329667facf94cbaddba458aac95c9473abeac81732d5668
                                                • Opcode Fuzzy Hash: e4e6008a9c669041bc6f9c032c1fd9d4b42c622c8bee0bad53ea7cbcd0cf0599
                                                • Instruction Fuzzy Hash: B121C2B59002499FDB10CFAAD984BDEBBF8FB48324F14841AE954A3710D378A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D49A08 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 151 d49a08-d49a0a 152 d49a0c 151->152 153 d49a0e-d49a50 151->153 152->153 154 d499f2-d499f6 152->154 156 d49a52-d49a55 153->156 157 d49a58-d49a87 LoadLibraryExW 153->157 156->157 158 d49a90-d49aad 157->158 159 d49a89-d49a8f 157->159 159->158
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D49869,00000800,00000000,00000000), ref: 00D49A7A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: b094c157d26a1b6651104474625cae1ef32ef765c76f8c480032295964a71c85
                                                • Instruction ID: d68b71d939fa88ce053a0b85de326776c1662ebdb90f31f3a825c8b696982212
                                                • Opcode Fuzzy Hash: b094c157d26a1b6651104474625cae1ef32ef765c76f8c480032295964a71c85
                                                • Instruction Fuzzy Hash: 222138B69002098FCB10CF9AD845BDFFBF4EB88324F14852AD519A7710C375A949CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D48900 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 168 d48900-d49a50 170 d49a52-d49a55 168->170 171 d49a58-d49a87 LoadLibraryExW 168->171 170->171 172 d49a90-d49aad 171->172 173 d49a89-d49a8f 171->173 173->172
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D49869,00000800,00000000,00000000), ref: 00D49A7A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 097d53354fd00479ebf2e024a88dc04edbb0be2ff78d95f622160cb4533197c6
                                                • Instruction ID: 503a9e6de85b6cebf7e9a807434bef439822d232284c33367dad5d5ab0d39a44
                                                • Opcode Fuzzy Hash: 097d53354fd00479ebf2e024a88dc04edbb0be2ff78d95f622160cb4533197c6
                                                • Instruction Fuzzy Hash: 3111E4B69002499FCB10CF9AD445BDFFBF4EB48324F14842AE559A7700C3B5A949CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D49788 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 176 d49788-d497c8 178 d497d0-d497fb GetModuleHandleW 176->178 179 d497ca-d497cd 176->179 180 d49804-d49818 178->180 181 d497fd-d49803 178->181 179->178 181->180
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00D497EE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 567c56d4110bf1b90f3beb93dceb5cdf615edaf43d326be7d43f380ecdf9ca51
                                                • Instruction ID: fa544c3c49e8c6fe94ca9313775c48ca578b1c0569c03a3d5e261c2567a90010
                                                • Opcode Fuzzy Hash: 567c56d4110bf1b90f3beb93dceb5cdf615edaf43d326be7d43f380ecdf9ca51
                                                • Instruction Fuzzy Hash: E911D2B6C006498FCB10CF9AD444BDFFBF4AB48324F14851AD869A7700D374A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AED3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315229530.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_aed000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05ef5c7bf23efc5bca04743fca2c421c11aad6b5097e5941f0d170533dd10008
                                                • Instruction ID: 173ca10f17ae686fc57876bd01109168ed1df47a8cd59ba44be1dae739eab39a
                                                • Opcode Fuzzy Hash: 05ef5c7bf23efc5bca04743fca2c421c11aad6b5097e5941f0d170533dd10008
                                                • Instruction Fuzzy Hash: 29214975504284DFDB01CF15D9C0B1ABBB5FBA8324F24C569E8090F786C336E85ADBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AFD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315267051.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_afd000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ed03acf0719afe9119689e37552580db37909d5bb91af2407327aa4b566a415
                                                • Instruction ID: ec4d8da6e9d9c79c021a38ea8f80cc8a8b13b54ad542c41a83d25572192fb16e
                                                • Opcode Fuzzy Hash: 8ed03acf0719afe9119689e37552580db37909d5bb91af2407327aa4b566a415
                                                • Instruction Fuzzy Hash: CD213771504248DFCB16CF54D9C0B26BB62FB84314F24C969E90A4B746CB36D84BCBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AFD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315267051.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_afd000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46658a7110bf34b6315f0fa9d349912e4ae1bf61e22e937ca96ea382a7c57a6f
                                                • Instruction ID: f0f1c98f92628d0259cd9d8dac60432d459e4b37d909fcd06aaab0599702aa61
                                                • Opcode Fuzzy Hash: 46658a7110bf34b6315f0fa9d349912e4ae1bf61e22e937ca96ea382a7c57a6f
                                                • Instruction Fuzzy Hash: DE210771504248EFDB02CF54D9C0B66BB66FB84314F24C969E9094B745C336D84ADBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AFD006 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315267051.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_afd000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb635e49a608a7277ea24e55c4d92b5f2adedf3eebad02ddc072417a6045c9da
                                                • Instruction ID: 5c4e004b2c7c452d38b1c7f21413e59f26c504177b6235b06732dd624f769ccb
                                                • Opcode Fuzzy Hash: fb635e49a608a7277ea24e55c4d92b5f2adedf3eebad02ddc072417a6045c9da
                                                • Instruction Fuzzy Hash: 662192755093C48FCB03CF20D990715BF71EB46314F28C5EAD9498B657C33A980ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AED3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315229530.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_aed000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5e0b608e762b73065f3240f20cc597103337480dfea35710c9739bf98176558
                                                • Instruction ID: a6ea3e0a42d98d67548ef3895543791769d38e12f4b65e109cbd3a0174a1ff76
                                                • Opcode Fuzzy Hash: a5e0b608e762b73065f3240f20cc597103337480dfea35710c9739bf98176558
                                                • Instruction Fuzzy Hash: 90110876404280DFCF11CF10D5C4B1ABF71FB94324F24C6A9D8090B656C33AE856CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AFD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315267051.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_afd000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd63c1716a40d01d4b9c8176ae75a0eba7f53514f489a0ee23e72f30f1191b10
                                                • Instruction ID: cde5757e5eacdb44c0da49f15fadbaa2b59615f06f34f696ccad3bfdab764c01
                                                • Opcode Fuzzy Hash: bd63c1716a40d01d4b9c8176ae75a0eba7f53514f489a0ee23e72f30f1191b10
                                                • Instruction Fuzzy Hash: B711D075504284DFCB02CF50C5C0B65FB72FB84314F24C6AEE9494B656C33AD84ACB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AED745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315229530.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_aed000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cb542525030d149741ba59709c3f41f0c0640d2ae1ec6d518316a9274b1549ec
                                                • Instruction ID: f2b5aee2b4126fb0cf91f7d630c4bf9875b716eae02dd372cae3f20f41cfbbdb
                                                • Opcode Fuzzy Hash: cb542525030d149741ba59709c3f41f0c0640d2ae1ec6d518316a9274b1549ec
                                                • Instruction Fuzzy Hash: 6701F2714043C49EE7205F22DD84BA6BBA8EF41368F18852AED151A642D3789888CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00AED744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315229530.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_aed000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1275001482bf158f14fad01a38a81aad17b3a753fb3a4eb6477dd55081ad6297
                                                • Instruction ID: 6c70ff299188a6c8550b09cc44d40325df0424b35cea07798ad0dc0e8a59269f
                                                • Opcode Fuzzy Hash: 1275001482bf158f14fad01a38a81aad17b3a753fb3a4eb6477dd55081ad6297
                                                • Instruction Fuzzy Hash: EDF062714042849EEB109F16DCC4B66FB98EB45734F18C45AED085B686C3799C44CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00D4E778 Relevance: .3, Instructions: 315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abc1da57495fb0ec8281f1666e05c33feb4bccfb4cd7b3f00e86802dabe8a87d
                                                • Instruction ID: f8d4416b5d5bf5c128f54d182d73b364ae170bf56673a96fa4a2fc4f711c11b2
                                                • Opcode Fuzzy Hash: abc1da57495fb0ec8281f1666e05c33feb4bccfb4cd7b3f00e86802dabe8a87d
                                                • Instruction Fuzzy Hash: 5512A0B1411F46CAE710DF65FC983897BA0B745328F904308D261ABBF9D7B8214ACF68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4C174 Relevance: .3, Instructions: 265COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a82666b64fc12a124822f6295dffd99653bfea1534e88cd6deef4a5892758f84
                                                • Instruction ID: 5a83671069ef048c361fa463931b7e2ae848ec9d4174838dc32155f002c48a51
                                                • Opcode Fuzzy Hash: a82666b64fc12a124822f6295dffd99653bfea1534e88cd6deef4a5892758f84
                                                • Instruction Fuzzy Hash: 07A16C32E10619CFCF15DFB5D8845DEBBB2FF85300B15856AE806AB261EB71A905CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4E76B Relevance: .2, Instructions: 226COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.315849493.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_d40000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96fc0285b6aaedd573e5b67dc49fa1462b02e16d1e49285c67d3aad4b64ea6cd
                                                • Instruction ID: 74b1960ae4887eaebb3a227a8804eaaa49a73c7bc2d91646b8971856097f3566
                                                • Opcode Fuzzy Hash: 96fc0285b6aaedd573e5b67dc49fa1462b02e16d1e49285c67d3aad4b64ea6cd
                                                • Instruction Fuzzy Hash: 6FC1E3B1811B46CAD711DF65FC883897BB1BB85328F504308D161BB7E9D7B8258ACFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:18.8%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:41.5%
                                                Total number of Nodes:340
                                                Total number of Limit Nodes:58
                                                execution_graph 16045 6952f2c 16046 6952eab 16045->16046 16048 6952dee 16045->16048 16047 6952de1 LdrInitializeThunk 16046->16047 16046->16048 16047->16048 16049 16b3460 16050 16b347c 16049->16050 16051 16b3505 KiUserExceptionDispatcher 16050->16051 16140 16b6111 16051->16140 16052 16b3513 16144 16b83c9 16052->16144 16054 16b353d 16163 69534c8 16054->16163 16169 69534b8 16054->16169 16055 16b3544 16175 6953910 16055->16175 16181 6953920 16055->16181 16056 16b354b 16187 6953d68 16056->16187 16193 6953d78 16056->16193 16057 16b3552 16199 69541d0 16057->16199 16205 69541c0 16057->16205 16058 16b3559 16211 6954619 16058->16211 16217 6954628 16058->16217 16059 16b3560 16223 6954a80 16059->16223 16229 6954a70 16059->16229 16060 16b3567 16235 6954ec8 16060->16235 16241 6954ed8 16060->16241 16061 16b356e 16247 6955321 16061->16247 16253 6955330 16061->16253 16062 16b3575 16259 6955788 16062->16259 16265 6955778 16062->16265 16063 16b357c 16271 6955be0 16063->16271 16277 6955bda 16063->16277 16064 16b3583 16283 6956038 16064->16283 16289 695602a 16064->16289 16065 16b358a 16295 6956490 16065->16295 16301 6956482 16065->16301 16066 16b3591 16307 69568e8 16066->16307 16313 69568d8 16066->16313 16067 16b3598 16319 6956d36 16067->16319 16325 6956d40 16067->16325 16068 16b359f 16331 6957198 16068->16331 16337 6957188 16068->16337 16069 16b35a6 16343 69575f0 16069->16343 16349 69575e0 16069->16349 16070 16b35ad 16355 6957a48 16070->16355 16361 6957a3a 16070->16361 16071 16b35b4 16367 6957e90 16071->16367 16373 6957ea0 16071->16373 16072 16b35bb 16379 69582f8 16072->16379 16385 69582e8 16072->16385 16073 16b35c2 16391 6958750 16073->16391 16397 6958741 16073->16397 16074 16b35c9 16403 695ddf0 16074->16403 16409 695de00 16074->16409 16075 16b35f6 16415 695e280 16075->16415 16421 695e271 16075->16421 16076 16b3604 16428 695e6c8 16076->16428 16434 695e6d8 16076->16434 16077 16b360b 16440 695eb30 16077->16440 16446 695eb20 16077->16446 16078 16b3612 16452 695ef79 16078->16452 16458 695ef88 16078->16458 16079 16b3619 16464 695f3d0 16079->16464 16470 695f3e0 16079->16470 16080 16b3620 16476 695f828 16080->16476 16482 695f838 16080->16482 16081 16b3627 16141 16b6142 KiUserExceptionDispatcher 16140->16141 16143 16b61fe 16141->16143 16143->16052 16147 16b83fa 16144->16147 16145 16b3536 16151 6953062 16145->16151 16157 6953070 16145->16157 16146 16b8549 KiUserExceptionDispatcher 16146->16147 16147->16145 16147->16146 16488 6952c73 16147->16488 16492 6952ad8 16147->16492 16496 6952ac9 16147->16496 16152 6953070 KiUserExceptionDispatcher 16151->16152 16156 695314c 16152->16156 16154 6953471 16154->16054 16155 6952ad8 KiUserExceptionDispatcher 16155->16156 16156->16154 16156->16155 16158 6953092 KiUserExceptionDispatcher 16157->16158 16162 695314c 16158->16162 16160 6953471 16160->16054 16161 6952ad8 KiUserExceptionDispatcher 16161->16162 16162->16160 16162->16161 16164 69534ea KiUserExceptionDispatcher 16163->16164 16167 69535a4 16164->16167 16166 69538c9 16166->16055 16167->16166 16168 6952ad8 KiUserExceptionDispatcher 16167->16168 16168->16167 16170 69534ea KiUserExceptionDispatcher 16169->16170 16174 69535a4 16170->16174 16172 69538c9 16172->16055 16173 6952ad8 KiUserExceptionDispatcher 16173->16174 16174->16172 16174->16173 16176 6953915 KiUserExceptionDispatcher 16175->16176 16180 69539fc 16176->16180 16178 6953d21 16178->16056 16179 6952ad8 KiUserExceptionDispatcher 16179->16180 16180->16178 16180->16179 16182 6953942 KiUserExceptionDispatcher 16181->16182 16186 69539fc 16182->16186 16184 6953d21 16184->16056 16185 6952ad8 KiUserExceptionDispatcher 16185->16186 16186->16184 16186->16185 16188 6953d9a KiUserExceptionDispatcher 16187->16188 16192 6953e54 16188->16192 16190 6954179 16190->16057 16191 6952ad8 KiUserExceptionDispatcher 16191->16192 16192->16190 16192->16191 16194 6953d9a KiUserExceptionDispatcher 16193->16194 16198 6953e54 16194->16198 16196 6954179 16196->16057 16197 6952ad8 KiUserExceptionDispatcher 16197->16198 16198->16196 16198->16197 16200 69541f2 KiUserExceptionDispatcher 16199->16200 16204 69542ac 16200->16204 16202 69545d1 16202->16058 16203 6952ad8 KiUserExceptionDispatcher 16203->16204 16204->16202 16204->16203 16206 69541d0 KiUserExceptionDispatcher 16205->16206 16210 69542ac 16206->16210 16208 69545d1 16208->16058 16209 6952ad8 KiUserExceptionDispatcher 16209->16210 16210->16208 16210->16209 16212 695464a KiUserExceptionDispatcher 16211->16212 16216 6954704 16212->16216 16214 6954a29 16214->16059 16215 6952ad8 KiUserExceptionDispatcher 16215->16216 16216->16214 16216->16215 16218 695464a KiUserExceptionDispatcher 16217->16218 16222 6954704 16218->16222 16220 6954a29 16220->16059 16221 6952ad8 KiUserExceptionDispatcher 16221->16222 16222->16220 16222->16221 16224 6954aa2 KiUserExceptionDispatcher 16223->16224 16228 6954b5c 16224->16228 16226 6954e81 16226->16060 16227 6952ad8 KiUserExceptionDispatcher 16227->16228 16228->16226 16228->16227 16230 6954aa2 KiUserExceptionDispatcher 16229->16230 16234 6954b5c 16230->16234 16232 6954e81 16232->16060 16233 6952ad8 KiUserExceptionDispatcher 16233->16234 16234->16232 16234->16233 16236 6954ed8 KiUserExceptionDispatcher 16235->16236 16240 6954fb4 16236->16240 16238 69552d9 16238->16061 16239 6952ad8 KiUserExceptionDispatcher 16239->16240 16240->16238 16240->16239 16242 6954efa KiUserExceptionDispatcher 16241->16242 16246 6954fb4 16242->16246 16244 69552d9 16244->16061 16245 6952ad8 KiUserExceptionDispatcher 16245->16246 16246->16244 16246->16245 16248 6955330 KiUserExceptionDispatcher 16247->16248 16252 695540c 16248->16252 16250 6955731 16250->16062 16251 6952ad8 KiUserExceptionDispatcher 16251->16252 16252->16250 16252->16251 16254 6955352 KiUserExceptionDispatcher 16253->16254 16258 695540c 16254->16258 16256 6955731 16256->16062 16257 6952ad8 KiUserExceptionDispatcher 16257->16258 16258->16256 16258->16257 16260 69557aa KiUserExceptionDispatcher 16259->16260 16264 6955864 16260->16264 16262 6955b89 16262->16063 16263 6952ad8 KiUserExceptionDispatcher 16263->16264 16264->16262 16264->16263 16266 6955781 KiUserExceptionDispatcher 16265->16266 16270 6955864 16266->16270 16268 6955b89 16268->16063 16269 6952ad8 KiUserExceptionDispatcher 16269->16270 16270->16268 16270->16269 16272 6955c02 KiUserExceptionDispatcher 16271->16272 16276 6955cbc 16272->16276 16274 6955fe1 16274->16064 16275 6952ad8 KiUserExceptionDispatcher 16275->16276 16276->16274 16276->16275 16278 6955c02 KiUserExceptionDispatcher 16277->16278 16282 6955cbc 16278->16282 16280 6955fe1 16280->16064 16281 6952ad8 KiUserExceptionDispatcher 16281->16282 16282->16280 16282->16281 16284 695605a KiUserExceptionDispatcher 16283->16284 16288 6956114 16284->16288 16286 6956439 16286->16065 16287 6952ad8 KiUserExceptionDispatcher 16287->16288 16288->16286 16288->16287 16290 695605a KiUserExceptionDispatcher 16289->16290 16293 6956114 16290->16293 16292 6956439 16292->16065 16293->16292 16294 6952ad8 KiUserExceptionDispatcher 16293->16294 16294->16293 16296 69564b2 KiUserExceptionDispatcher 16295->16296 16300 695656c 16296->16300 16298 6956891 16298->16066 16299 6952ad8 KiUserExceptionDispatcher 16299->16300 16300->16298 16300->16299 16302 69564b2 KiUserExceptionDispatcher 16301->16302 16306 695656c 16302->16306 16304 6956891 16304->16066 16305 6952ad8 KiUserExceptionDispatcher 16305->16306 16306->16304 16306->16305 16308 695690a KiUserExceptionDispatcher 16307->16308 16312 69569c4 16308->16312 16310 6956ce9 16310->16067 16311 6952ad8 KiUserExceptionDispatcher 16311->16312 16312->16310 16312->16311 16314 695690a KiUserExceptionDispatcher 16313->16314 16318 69569c4 16314->16318 16316 6956ce9 16316->16067 16317 6952ad8 KiUserExceptionDispatcher 16317->16318 16318->16316 16318->16317 16320 6956d62 KiUserExceptionDispatcher 16319->16320 16324 6956e1c 16320->16324 16322 6957141 16322->16068 16323 6952ad8 KiUserExceptionDispatcher 16323->16324 16324->16322 16324->16323 16326 6956d62 KiUserExceptionDispatcher 16325->16326 16330 6956e1c 16326->16330 16328 6957141 16328->16068 16329 6952ad8 KiUserExceptionDispatcher 16329->16330 16330->16328 16330->16329 16332 69571ba KiUserExceptionDispatcher 16331->16332 16336 6957274 16332->16336 16334 6957599 16334->16069 16335 6952ad8 KiUserExceptionDispatcher 16335->16336 16336->16334 16336->16335 16338 69571ba KiUserExceptionDispatcher 16337->16338 16342 6957274 16338->16342 16340 6957599 16340->16069 16341 6952ad8 KiUserExceptionDispatcher 16341->16342 16342->16340 16342->16341 16344 6957612 KiUserExceptionDispatcher 16343->16344 16348 69576cc 16344->16348 16346 69579f1 16346->16070 16347 6952ad8 KiUserExceptionDispatcher 16347->16348 16348->16346 16348->16347 16350 6957612 KiUserExceptionDispatcher 16349->16350 16354 69576cc 16350->16354 16352 69579f1 16352->16070 16353 6952ad8 KiUserExceptionDispatcher 16353->16354 16354->16352 16354->16353 16356 6957a6a KiUserExceptionDispatcher 16355->16356 16360 6957b24 16356->16360 16358 6957e49 16358->16071 16359 6952ad8 KiUserExceptionDispatcher 16359->16360 16360->16358 16360->16359 16362 6957a48 KiUserExceptionDispatcher 16361->16362 16366 6957b24 16362->16366 16364 6957e49 16364->16071 16365 6952ad8 KiUserExceptionDispatcher 16365->16366 16366->16364 16366->16365 16368 6957ec2 KiUserExceptionDispatcher 16367->16368 16372 6957f7c 16368->16372 16370 69582a1 16370->16072 16371 6952ad8 KiUserExceptionDispatcher 16371->16372 16372->16370 16372->16371 16374 6957ec2 KiUserExceptionDispatcher 16373->16374 16378 6957f7c 16374->16378 16376 69582a1 16376->16072 16377 6952ad8 KiUserExceptionDispatcher 16377->16378 16378->16376 16378->16377 16380 695831a KiUserExceptionDispatcher 16379->16380 16384 69583d4 16380->16384 16382 69586f9 16382->16073 16383 6952ad8 KiUserExceptionDispatcher 16383->16384 16384->16382 16384->16383 16386 69582eb KiUserExceptionDispatcher 16385->16386 16389 69583d4 16386->16389 16388 69586f9 16388->16073 16389->16388 16390 6952ad8 KiUserExceptionDispatcher 16389->16390 16390->16389 16392 6958772 KiUserExceptionDispatcher 16391->16392 16396 695882c 16392->16396 16394 6958b51 16394->16074 16395 6952ad8 KiUserExceptionDispatcher 16395->16396 16396->16394 16396->16395 16398 6958772 KiUserExceptionDispatcher 16397->16398 16402 695882c 16398->16402 16400 6958b51 16400->16074 16401 6952ad8 KiUserExceptionDispatcher 16401->16402 16402->16400 16402->16401 16404 695de00 KiUserExceptionDispatcher 16403->16404 16408 695dedc 16404->16408 16406 695e201 16406->16075 16407 6952ad8 KiUserExceptionDispatcher 16407->16408 16408->16406 16408->16407 16410 695de22 KiUserExceptionDispatcher 16409->16410 16413 695dedc 16410->16413 16412 695e201 16412->16075 16413->16412 16414 6952ad8 KiUserExceptionDispatcher 16413->16414 16414->16413 16416 695e2a2 KiUserExceptionDispatcher 16415->16416 16420 695e35c 16416->16420 16418 695e681 16418->16076 16419 6952ad8 KiUserExceptionDispatcher 16419->16420 16420->16418 16420->16419 16422 695e225 16421->16422 16423 695e27e KiUserExceptionDispatcher 16421->16423 16422->16076 16427 695e35c 16423->16427 16425 695e681 16425->16076 16426 6952ad8 KiUserExceptionDispatcher 16426->16427 16427->16425 16427->16426 16429 695e6d8 KiUserExceptionDispatcher 16428->16429 16433 695e7b4 16429->16433 16431 695ead9 16431->16077 16432 6952ad8 KiUserExceptionDispatcher 16432->16433 16433->16431 16433->16432 16435 695e6fa KiUserExceptionDispatcher 16434->16435 16438 695e7b4 16435->16438 16437 695ead9 16437->16077 16438->16437 16439 6952ad8 KiUserExceptionDispatcher 16438->16439 16439->16438 16441 695eb52 KiUserExceptionDispatcher 16440->16441 16445 695ec0c 16441->16445 16443 695ef31 16443->16078 16444 6952ad8 KiUserExceptionDispatcher 16444->16445 16445->16443 16445->16444 16447 695eb52 KiUserExceptionDispatcher 16446->16447 16451 695ec0c 16447->16451 16449 695ef31 16449->16078 16450 6952ad8 KiUserExceptionDispatcher 16450->16451 16451->16449 16451->16450 16453 695ef88 KiUserExceptionDispatcher 16452->16453 16457 695f064 16453->16457 16455 695f389 16455->16079 16456 6952ad8 KiUserExceptionDispatcher 16456->16457 16457->16455 16457->16456 16459 695efaa KiUserExceptionDispatcher 16458->16459 16462 695f064 16459->16462 16461 695f389 16461->16079 16462->16461 16463 6952ad8 KiUserExceptionDispatcher 16462->16463 16463->16462 16465 695f402 KiUserExceptionDispatcher 16464->16465 16469 695f4bc 16465->16469 16467 695f7e1 16467->16080 16468 6952ad8 KiUserExceptionDispatcher 16468->16469 16469->16467 16469->16468 16471 695f402 KiUserExceptionDispatcher 16470->16471 16475 695f4bc 16471->16475 16473 695f7e1 16473->16080 16474 6952ad8 KiUserExceptionDispatcher 16474->16475 16475->16473 16475->16474 16477 695f838 KiUserExceptionDispatcher 16476->16477 16481 695f914 16477->16481 16479 695fc39 16479->16081 16480 6952ad8 KiUserExceptionDispatcher 16480->16481 16481->16479 16481->16480 16483 695f85a KiUserExceptionDispatcher 16482->16483 16487 695f914 16483->16487 16485 695fc39 16485->16081 16486 6952ad8 KiUserExceptionDispatcher 16486->16487 16487->16485 16487->16486 16491 6952b37 16488->16491 16489 6952c2a KiUserExceptionDispatcher 16490 6952c1b 16489->16490 16490->16147 16491->16489 16491->16490 16495 6952aff 16492->16495 16493 6952c2a KiUserExceptionDispatcher 16494 6952c1b 16493->16494 16494->16147 16495->16493 16495->16494 16498 6952ad8 16496->16498 16497 6952c2a KiUserExceptionDispatcher 16499 6952c1b 16497->16499 16498->16497 16498->16499 16499->16147 16500 16b5587 16501 16b55ba 16500->16501 16502 16b55bf LdrInitializeThunk 16500->16502 16501->16502 16503 16b5653 16502->16503

                                                Executed Functions

                                                Function 016B5587 Relevance: 2.1, APIs: 1, Instructions: 633libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 957 16b5587-16b55b8 958 16b55ba 957->958 959 16b55bf-16b564c LdrInitializeThunk 957->959 958->959 960 16b5653-16b571b 959->960 967 16b5fb4-16b5fd3 960->967 968 16b5fd9-16b600e 967->968 969 16b5720-16b572c 967->969 970 16b572e 969->970 971 16b5733-16b5799 969->971 970->971 976 16b579b 971->976 977 16b57a0-16b582d 971->977 976->977 983 16b583f-16b5846 977->983 984 16b582f-16b5836 977->984 987 16b5848 983->987 988 16b584d-16b585a 983->988 985 16b5838 984->985 986 16b583d 984->986 985->986 986->988 987->988 989 16b585c 988->989 990 16b5861-16b5868 988->990 989->990 991 16b586a 990->991 992 16b586f-16b58c6 990->992 991->992 995 16b58c8 992->995 996 16b58cd-16b58e4 992->996 995->996 997 16b58ef-16b58f7 996->997 998 16b58e6-16b58ed 996->998 999 16b58f8-16b5902 997->999 998->999 1000 16b5909-16b5912 999->1000 1001 16b5904 999->1001 1002 16b5f84-16b5f8a 1000->1002 1001->1000 1003 16b5f90-16b5faa 1002->1003 1004 16b5917-16b5923 1002->1004 1012 16b5fac 1003->1012 1013 16b5fb1 1003->1013 1005 16b592a-16b592f 1004->1005 1006 16b5925 1004->1006 1007 16b5972-16b5974 1005->1007 1008 16b5931-16b593d 1005->1008 1006->1005 1014 16b597a-16b598e 1007->1014 1010 16b593f 1008->1010 1011 16b5944-16b5949 1008->1011 1010->1011 1011->1007 1015 16b594b-16b5958 1011->1015 1012->1013 1013->967 1016 16b5f62-16b5f6f 1014->1016 1017 16b5994-16b59a9 1014->1017 1021 16b595a 1015->1021 1022 16b595f-16b5970 1015->1022 1020 16b5f70-16b5f7a 1016->1020 1018 16b59ab 1017->1018 1019 16b59b0-16b5a30 1017->1019 1018->1019 1029 16b5a5a 1019->1029 1030 16b5a32-16b5a58 1019->1030 1023 16b5f7c 1020->1023 1024 16b5f81 1020->1024 1021->1022 1022->1014 1023->1024 1024->1002 1031 16b5a64-16b5a78 1029->1031 1030->1031 1032 16b5a7e-16b5a88 1031->1032 1033 16b5bc1-16b5bc6 1031->1033 1035 16b5a8a 1032->1035 1036 16b5a8f-16b5aa9 1032->1036 1037 16b5c2a-16b5c2c 1033->1037 1038 16b5bc8-16b5be8 1033->1038 1035->1036 1039 16b5aab-16b5ab5 1036->1039 1040 16b5ac0-16b5ac2 1036->1040 1041 16b5c32-16b5c46 1037->1041 1048 16b5bea-16b5c10 1038->1048 1049 16b5c12 1038->1049 1043 16b5abc-16b5abf 1039->1043 1044 16b5ab7 1039->1044 1045 16b5b4c-16b5b58 1040->1045 1046 16b5f5c-16b5f5d 1041->1046 1047 16b5c4c-16b5c56 1041->1047 1043->1040 1044->1043 1050 16b5b5a 1045->1050 1051 16b5b5f-16b5b64 1045->1051 1054 16b5f5e-16b5f60 1046->1054 1052 16b5c58 1047->1052 1053 16b5c5d-16b5c77 1047->1053 1057 16b5c1c-16b5c28 1048->1057 1049->1057 1050->1051 1058 16b5b8b-16b5b8d 1051->1058 1059 16b5b66-16b5b73 1051->1059 1052->1053 1055 16b5c79-16b5c83 1053->1055 1056 16b5c8e-16b5c9c 1053->1056 1054->1020 1060 16b5c8a-16b5c8d 1055->1060 1061 16b5c85 1055->1061 1062 16b5d2c-16b5d38 1056->1062 1057->1041 1066 16b5b93-16b5ba1 1058->1066 1064 16b5b7a-16b5b89 1059->1064 1065 16b5b75 1059->1065 1060->1056 1061->1060 1069 16b5d3a 1062->1069 1070 16b5d3f-16b5d44 1062->1070 1064->1066 1065->1064 1067 16b5ac7-16b5adc 1066->1067 1068 16b5ba7-16b5bbc 1066->1068 1073 16b5ade 1067->1073 1074 16b5ae3-16b5b41 1067->1074 1068->1054 1069->1070 1071 16b5d6b-16b5d6d 1070->1071 1072 16b5d46-16b5d53 1070->1072 1077 16b5d73-16b5d87 1071->1077 1075 16b5d5a-16b5d69 1072->1075 1076 16b5d55 1072->1076 1073->1074 1092 16b5b48-16b5b4b 1074->1092 1093 16b5b43 1074->1093 1075->1077 1076->1075 1078 16b5d8d-16b5df9 call 16b43f8 * 2 1077->1078 1079 16b5ca1-16b5cb9 1077->1079 1090 16b5dfb-16b5dfd 1078->1090 1091 16b5e02-16b5f58 1078->1091 1081 16b5cbb 1079->1081 1082 16b5cc0-16b5d21 1079->1082 1081->1082 1098 16b5d28-16b5d2b 1082->1098 1099 16b5d23 1082->1099 1095 16b5f59-16b5f5a 1090->1095 1091->1095 1092->1045 1093->1092 1095->1003 1098->1062 1099->1098
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7301d64773ccedbedc0fa36e63968571f7e97408c0389f271c8072eda3a0447c
                                                • Instruction ID: 912ab00e16cbd1e3d19fe06abd86400c2c68494d6e55a068f4dad6e8a79a4789
                                                • Opcode Fuzzy Hash: 7301d64773ccedbedc0fa36e63968571f7e97408c0389f271c8072eda3a0447c
                                                • Instruction Fuzzy Hash: B1629EB4D002688FDB64DF69C894BEDBBB2BB49304F1482AAD409A7355DB349EC5CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B83C9 Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1112 16b83c9-16b83f8 1113 16b83fa 1112->1113 1114 16b83ff-16b84c2 call 16b66f8 call 16b6b88 1112->1114 1113->1114 1123 16b84c8-16b84e0 1114->1123 1124 16b87e0-16b8812 1114->1124 1127 16b84e2 1123->1127 1128 16b84e7-16b84f0 1123->1128 1127->1128 1129 16b87d3-16b87d9 1128->1129 1130 16b87df 1129->1130 1131 16b84f5-16b8501 1129->1131 1130->1124 1170 16b8503 call 6952c73 1131->1170 1171 16b8503 call 6952ac9 1131->1171 1172 16b8503 call 6952ad8 1131->1172 1132 16b8509-16b856f KiUserExceptionDispatcher 1135 16b862b-16b8686 1132->1135 1136 16b8575-16b85e3 1132->1136 1147 16b8687-16b86d5 call 16b43f8 * 2 1135->1147 1145 16b8626-16b8629 1136->1145 1146 16b85e5-16b8625 1136->1146 1145->1147 1146->1145 1154 16b86db-16b87bd 1147->1154 1155 16b87be-16b87c9 1147->1155 1154->1155 1156 16b87cb 1155->1156 1157 16b87d0 1155->1157 1156->1157 1157->1129 1170->1132 1171->1132 1172->1132
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 016B855B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 71cb585f75504f1bdc5a6fd4d0694db508348c04107dbdaf8275bd185cba0373
                                                • Instruction ID: 818a56127430dd04a6dfe4f124913fd2a9656c9b5ee42b6e252b9cad50f6f4f0
                                                • Opcode Fuzzy Hash: 71cb585f75504f1bdc5a6fd4d0694db508348c04107dbdaf8275bd185cba0373
                                                • Instruction Fuzzy Hash: 10D1C174E01218CFDB24DFA5D994BADBBB6FB88304F2081AAD809A7355DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B6111 Relevance: 1.8, APIs: 1, Instructions: 272COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1173 16b6111-16b6140 1174 16b6142 1173->1174 1175 16b6147-16b620c KiUserExceptionDispatcher 1173->1175 1174->1175 1181 16b652a-16b655c 1175->1181 1182 16b6212-16b622a 1175->1182 1185 16b622c 1182->1185 1186 16b6231-16b623a 1182->1186 1185->1186 1187 16b651d-16b6523 1186->1187 1188 16b6529 1187->1188 1189 16b623f-16b62b9 1187->1189 1188->1181 1194 16b62bf-16b632d 1189->1194 1195 16b6375-16b63d0 1189->1195 1204 16b632f-16b636f 1194->1204 1205 16b6370-16b6373 1194->1205 1206 16b63d1-16b641f call 16b43f8 * 2 1195->1206 1204->1205 1205->1206 1213 16b6508-16b6513 1206->1213 1214 16b6425-16b6507 1206->1214 1216 16b651a 1213->1216 1217 16b6515 1213->1217 1214->1213 1216->1187 1217->1216
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 016B61EC
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 41b34344ade82ffa953446d110188c5999d93c061cec7dc4b4d3b690ede4ab2a
                                                • Instruction ID: 5cd1123cfd85709c036cc7732c10e09c0f72955979ade50efc7cdbedead7a6b2
                                                • Opcode Fuzzy Hash: 41b34344ade82ffa953446d110188c5999d93c061cec7dc4b4d3b690ede4ab2a
                                                • Instruction Fuzzy Hash: D3D1A274E01218CFDB24DFA5D994BADBBB2FB89304F2081AAD409A7355DB349E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06956490 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695655B
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e1e47917bdc42878ed14cd4dfb0b46be687b89b31397611369cc3ec4a5c6dc44
                                                • Instruction ID: 491283f8343e3090f38cac59fc6183ae418668609e2a1c400b685725c0a233a8
                                                • Opcode Fuzzy Hash: e1e47917bdc42878ed14cd4dfb0b46be687b89b31397611369cc3ec4a5c6dc44
                                                • Instruction Fuzzy Hash: 2EC1A174E01218CFDB64DFA5D954BADBBB2BB89304F2081A9D809AB354DB359E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06954A80 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1589 6954a80-6954aa0 1590 6954aa7-6954b54 KiUserExceptionDispatcher 1589->1590 1591 6954aa2 1589->1591 1596 6954b5c-6954b6a 1590->1596 1591->1590 1597 6954b70-6954b87 call 6952958 1596->1597 1598 6954e82-6954eb4 1596->1598 1602 6954b8e-6954b97 1597->1602 1603 6954b89 1597->1603 1604 6954e75-6954e7b 1602->1604 1603->1602 1605 6954e81 1604->1605 1606 6954b9c-6954c12 call 6952ad8 * 3 call 6952fd8 1604->1606 1605->1598 1615 6954cce-6954d28 call 6952ad8 1606->1615 1616 6954c18-6954c86 1606->1616 1628 6954d29-6954d77 1615->1628 1626 6954cc9-6954ccc 1616->1626 1627 6954c88-6954cc8 1616->1627 1626->1628 1627->1626 1633 6954e60-6954e6b 1628->1633 1634 6954d7d-6954e5f 1628->1634 1636 6954e72 1633->1636 1637 6954e6d 1633->1637 1634->1633 1636->1604 1637->1636
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06954B4B
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: faea04a3dd1e1848b2638b3fa7e5ec0c60b707089c11cb0ffc6aaab54f17e58e
                                                • Instruction ID: 4b2f3551da31fc4344e9357e1621e62fa7b42cc6910058555d44a2df623301e3
                                                • Opcode Fuzzy Hash: faea04a3dd1e1848b2638b3fa7e5ec0c60b707089c11cb0ffc6aaab54f17e58e
                                                • Instruction Fuzzy Hash: 6AC19274E00218CFDB64DFA5D954BADBBB2FB89304F2081AAD809AB354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695E280 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695E34B
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 9e43861b2b31c0b16ba39102e26f09404946a83bc7adddcbc19d507fef336148
                                                • Instruction ID: d727b69ae17f8f932152f369302c4c11b1dc75c465e088f072156edbddf7cd04
                                                • Opcode Fuzzy Hash: 9e43861b2b31c0b16ba39102e26f09404946a83bc7adddcbc19d507fef336148
                                                • Instruction Fuzzy Hash: EDC1A174E01218CFDB64DFA5D994BADBBB2EB89304F2081A9D809AB354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06957EA0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06957F6B
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 131a678d6639e0ad9149d13ab9ad8926a6425a92d3ae4e508bcab90eff2e93b3
                                                • Instruction ID: 83a61135c83070a7b7a9dd66b7abe5805983b1fd8f772b63c1f3475e3097d75d
                                                • Opcode Fuzzy Hash: 131a678d6639e0ad9149d13ab9ad8926a6425a92d3ae4e508bcab90eff2e93b3
                                                • Instruction Fuzzy Hash: 2BC1A174E012188FDB64DFA5D954BADBBB2FB89304F2081A9D809AB354DB359E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695E6D8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695E7A3
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 3bf85affc4d73e3dc17d62eee6792c23252119d98d01fcfa15f286696cc6ca4d
                                                • Instruction ID: 7f4bc0c7afae0caea0530059121312e6c6941dcf13242120d71a051e8d6a1ac3
                                                • Opcode Fuzzy Hash: 3bf85affc4d73e3dc17d62eee6792c23252119d98d01fcfa15f286696cc6ca4d
                                                • Instruction Fuzzy Hash: 2DC1A174E00218CFDB64DFA5D994BADBBB2FB89304F2081A9D809A7355DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06954ED8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1649 6954ed8-6954ef8 1650 6954eff-6954fac KiUserExceptionDispatcher 1649->1650 1651 6954efa 1649->1651 1656 6954fb4-6954fc2 1650->1656 1651->1650 1657 6954fc8-6954fdf call 6952958 1656->1657 1658 69552da-695530c 1656->1658 1662 6954fe6-6954fef 1657->1662 1663 6954fe1 1657->1663 1664 69552cd-69552d3 1662->1664 1663->1662 1665 6954ff4-695506a call 6952ad8 * 3 call 6952fd8 1664->1665 1666 69552d9 1664->1666 1675 6955126-6955180 call 6952ad8 1665->1675 1676 6955070-69550de 1665->1676 1666->1658 1686 6955181-69551cf 1675->1686 1687 6955121-6955124 1676->1687 1688 69550e0-6955120 1676->1688 1693 69551d5-69552b7 1686->1693 1694 69552b8-69552c3 1686->1694 1687->1686 1688->1687 1693->1694 1696 69552c5 1694->1696 1697 69552ca 1694->1697 1696->1697 1697->1664
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06954FA3
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 58ad1344c79c8b9810eb762dfd9a75fb4e3746ef6511a409b1ab3516562b120b
                                                • Instruction ID: 16adb8e917daaa167be914520c2c294790c29dd53376e6f6ec47335cbb5d0518
                                                • Opcode Fuzzy Hash: 58ad1344c79c8b9810eb762dfd9a75fb4e3746ef6511a409b1ab3516562b120b
                                                • Instruction Fuzzy Hash: 1BC1A174E00218CFDB64DFA5D994BADBBB2EB89304F2081A9D809A7355DB359E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069534C8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1289 69534c8-69534e8 1290 69534ef-695359c KiUserExceptionDispatcher 1289->1290 1291 69534ea 1289->1291 1296 69535a4-69535b2 1290->1296 1291->1290 1297 69535b8-69535cf call 6952958 1296->1297 1298 69538ca-69538fc 1296->1298 1302 69535d6-69535df 1297->1302 1303 69535d1 1297->1303 1304 69538bd-69538c3 1302->1304 1303->1302 1305 69535e4-695365a call 6952ad8 * 3 call 6952fd8 1304->1305 1306 69538c9 1304->1306 1315 6953716-6953770 call 6952ad8 1305->1315 1316 6953660-69536ce 1305->1316 1306->1298 1328 6953771-69537bf 1315->1328 1326 6953711-6953714 1316->1326 1327 69536d0-6953710 1316->1327 1326->1328 1327->1326 1333 69537c5-69538a7 1328->1333 1334 69538a8-69538b3 1328->1334 1333->1334 1335 69538b5 1334->1335 1336 69538ba 1334->1336 1335->1336 1336->1304
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06953593
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: ecb38e630da606982eb917a94fc53960460e18e17ace5b8cea1bf10111dc43d8
                                                • Instruction ID: 5e829f8c0fd5e147e3e2bf0616fb6ff1c459cde42ce846787f5baad8993da8b7
                                                • Opcode Fuzzy Hash: ecb38e630da606982eb917a94fc53960460e18e17ace5b8cea1bf10111dc43d8
                                                • Instruction Fuzzy Hash: 19C1A274E00218CFDB64DFA5C994BADBBB2FB89304F2081A9D809AB354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069582F8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069583C3
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 105d1b29ece844107c6cb04fd060f055c6dc0a7171cc101a99a39dece2489065
                                                • Instruction ID: e4d785f4eca46091ef27548af2e5684d0db657de796365ad34de87a5f3a581ae
                                                • Opcode Fuzzy Hash: 105d1b29ece844107c6cb04fd060f055c6dc0a7171cc101a99a39dece2489065
                                                • Instruction Fuzzy Hash: 78C1A274E01218CFDB64DFA5C994BADBBB2FB89304F2081A9D809AB354DB345E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069568E8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069569B3
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 91e79c1f508731f1facbd4fdfe8c09fec6999c53ada2c732db1f7b54e35f3c67
                                                • Instruction ID: 88a48f520db85d5e8bc5f93414e550ef48c81b4ab22987c7ab0420424cad0423
                                                • Opcode Fuzzy Hash: 91e79c1f508731f1facbd4fdfe8c09fec6999c53ada2c732db1f7b54e35f3c67
                                                • Instruction Fuzzy Hash: 95C19274E01218CFDB64DFA5D994BADBBB2FB89304F2081AAD809A7354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695DE00 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695DECB
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 54fb2b51b3e230b4c6e3cf91fd2c2dabc619d77ca3c1c5bc475bee660fe9fb73
                                                • Instruction ID: 3e2df7487447dacb52652a6a161e7e997444aeeebaed4f0baeb197300d77acb3
                                                • Opcode Fuzzy Hash: 54fb2b51b3e230b4c6e3cf91fd2c2dabc619d77ca3c1c5bc475bee660fe9fb73
                                                • Instruction Fuzzy Hash: 15C19274E002188FDB64DFA5D954BADBBB2FF89304F2091AAD809AB354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06956038 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1889 6956038-6956058 1890 695605f-695610c KiUserExceptionDispatcher 1889->1890 1891 695605a 1889->1891 1896 6956114-6956122 1890->1896 1891->1890 1897 6956128-695613f call 6952958 1896->1897 1898 695643a-695646c 1896->1898 1902 6956146-695614f 1897->1902 1903 6956141 1897->1903 1904 695642d-6956433 1902->1904 1903->1902 1905 6956154-69561ca call 6952ad8 * 3 call 6952fd8 1904->1905 1906 6956439 1904->1906 1915 6956286-69562e0 call 6952ad8 1905->1915 1916 69561d0-695623e 1905->1916 1906->1898 1928 69562e1-695632f 1915->1928 1926 6956281-6956284 1916->1926 1927 6956240-6956280 1916->1927 1926->1928 1927->1926 1933 6956335-6956417 1928->1933 1934 6956418-6956423 1928->1934 1933->1934 1935 6956425 1934->1935 1936 695642a 1934->1936 1935->1936 1936->1904
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06956103
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: b6398d8c3e60b6706aad2b35dfec5e8223d5699185ac9ada95f03e3ab0e8ea37
                                                • Instruction ID: 4c3fe1d03e35255c8531011d6731a613dc363b827bd27f2cf86ea611a8f6aca4
                                                • Opcode Fuzzy Hash: b6398d8c3e60b6706aad2b35dfec5e8223d5699185ac9ada95f03e3ab0e8ea37
                                                • Instruction Fuzzy Hash: BFC1A274E00218CFDB54DFA5D994BADBBB2FB89304F2081AAD809A7355DB345E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695F838 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695F903
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: fba45735f9ee9bf0657aacb341e65b0d151f35409028b1b90d2bf1b55fb88469
                                                • Instruction ID: 2e2568b129379c4484603378c910ee9b51b715a129232c70a313638cdb39db6b
                                                • Opcode Fuzzy Hash: fba45735f9ee9bf0657aacb341e65b0d151f35409028b1b90d2bf1b55fb88469
                                                • Instruction Fuzzy Hash: D1C1A174E01218CFDB64DFA5D994BADBBB2FB89304F2081A9D809AB354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06954628 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1529 6954628-6954648 1530 695464f-69546fc KiUserExceptionDispatcher 1529->1530 1531 695464a 1529->1531 1536 6954704-6954712 1530->1536 1531->1530 1537 6954718-695472f call 6952958 1536->1537 1538 6954a2a-6954a5c 1536->1538 1542 6954736-695473f 1537->1542 1543 6954731 1537->1543 1544 6954a1d-6954a23 1542->1544 1543->1542 1545 6954744-69547ba call 6952ad8 * 3 call 6952fd8 1544->1545 1546 6954a29 1544->1546 1555 6954876-69548d0 call 6952ad8 1545->1555 1556 69547c0-695482e 1545->1556 1546->1538 1568 69548d1-695491f 1555->1568 1566 6954871-6954874 1556->1566 1567 6954830-6954870 1556->1567 1566->1568 1567->1566 1573 6954925-6954a07 1568->1573 1574 6954a08-6954a13 1568->1574 1573->1574 1575 6954a15 1574->1575 1576 6954a1a 1574->1576 1575->1576 1576->1544
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069546F3
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: cd9e7b0e2b112175304cb157f369ce5faa18d2152dae9a0096541925fa6a6540
                                                • Instruction ID: a656f557b86d35251af1f588ab609fe6fc94852560e0b1c496f158d858968d07
                                                • Opcode Fuzzy Hash: cd9e7b0e2b112175304cb157f369ce5faa18d2152dae9a0096541925fa6a6540
                                                • Instruction Fuzzy Hash: A5C1B174E002188FDB64DFA5C994BADBBB2BF89304F2091A9D809A7354DB359E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06957A48 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06957B13
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 753c1be518f7e212be5725db54bfb2b36e30abf8d9c1f760e0219928f108c84a
                                                • Instruction ID: cdcd8a35d1cdeb91ca75bc6a0b3bd1af0f6fd029f0bb929db53f6838609f25cf
                                                • Opcode Fuzzy Hash: 753c1be518f7e212be5725db54bfb2b36e30abf8d9c1f760e0219928f108c84a
                                                • Instruction Fuzzy Hash: BBC19274E01218CFDB64DFA5D954BADBBB2FB89304F2081AAD809AB354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06953070 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1229 6953070-6953090 1230 6953097-6953144 KiUserExceptionDispatcher 1229->1230 1231 6953092 1229->1231 1236 695314c-695315a 1230->1236 1231->1230 1237 6953160-6953177 call 6952958 1236->1237 1238 6953472-69534a4 1236->1238 1242 695317e-6953187 1237->1242 1243 6953179 1237->1243 1244 6953465-695346b 1242->1244 1243->1242 1245 6953471 1244->1245 1246 695318c-6953202 call 6952ad8 * 3 call 6952fd8 1244->1246 1245->1238 1255 69532be-6953318 call 6952ad8 1246->1255 1256 6953208-6953276 1246->1256 1268 6953319-6953367 1255->1268 1266 69532b9-69532bc 1256->1266 1267 6953278-69532b8 1256->1267 1266->1268 1267->1266 1273 6953450-695345b 1268->1273 1274 695336d-695344f 1268->1274 1275 6953462 1273->1275 1276 695345d 1273->1276 1274->1273 1275->1244 1276->1275
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695313B
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: f3a98e351d11ae3d7060006acf4a0df214babcfbcf9160054b19e5e0c3ada735
                                                • Instruction ID: efbe1181f904a331a02f83cbb0b04a7cd138b845935eb66dc0dcf73c8cfc78d0
                                                • Opcode Fuzzy Hash: f3a98e351d11ae3d7060006acf4a0df214babcfbcf9160054b19e5e0c3ada735
                                                • Instruction Fuzzy Hash: C1C19274E00218CFDB64DFA5D954BADBBB2FB89304F2081AAD809A7354DB355E85CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06957198 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06957263
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 845a744fd555720d885bc080b38871c0b6bdfeda14e1d44a10505548259973b4
                                                • Instruction ID: 0fe829ebe6c23a6e9557f0a8d1e982291cf99d711601d43f497a014e387dfc1b
                                                • Opcode Fuzzy Hash: 845a744fd555720d885bc080b38871c0b6bdfeda14e1d44a10505548259973b4
                                                • Instruction Fuzzy Hash: FAC19274E00218CFDB54DFA5D994BADBBB2EB89304F2081A9D809AB354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06955788 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1769 6955788-69557a8 1770 69557af-695585c KiUserExceptionDispatcher 1769->1770 1771 69557aa 1769->1771 1776 6955864-6955872 1770->1776 1771->1770 1777 6955878-695588f call 6952958 1776->1777 1778 6955b8a-6955bbc 1776->1778 1782 6955896-695589f 1777->1782 1783 6955891 1777->1783 1784 6955b7d-6955b83 1782->1784 1783->1782 1785 69558a4-695591a call 6952ad8 * 3 call 6952fd8 1784->1785 1786 6955b89 1784->1786 1795 69559d6-6955a30 call 6952ad8 1785->1795 1796 6955920-695598e 1785->1796 1786->1778 1808 6955a31-6955a7f 1795->1808 1806 69559d1-69559d4 1796->1806 1807 6955990-69559d0 1796->1807 1806->1808 1807->1806 1813 6955a85-6955b67 1808->1813 1814 6955b68-6955b73 1808->1814 1813->1814 1816 6955b75 1814->1816 1817 6955b7a 1814->1817 1816->1817 1817->1784
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06955853
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 495146009620213ef33cf6151378c4307f516027e6e243062c9efd54e070d8cc
                                                • Instruction ID: 0278d6d4a179dea3d920ad3653d0b27eea8a6c2ed99de10cbc71912400011d3f
                                                • Opcode Fuzzy Hash: 495146009620213ef33cf6151378c4307f516027e6e243062c9efd54e070d8cc
                                                • Instruction Fuzzy Hash: 11C1A274E00218CFDB64DFA5D994BADBBB2BF89304F2081AAD809A7355DB345E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695EF88 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695F053
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 12f9dfb8328c574861117d94e7a3383e101de777a0c1bf68e925883e36d5777c
                                                • Instruction ID: 8751873997fd2efca10864b847d8ae943e6eaf4a6e3ca8cd30a48ca5a9b6a099
                                                • Opcode Fuzzy Hash: 12f9dfb8328c574861117d94e7a3383e101de777a0c1bf68e925883e36d5777c
                                                • Instruction Fuzzy Hash: 14C19174E012188FDB64DFA5D954BADBBB2BF89304F2081A9D809AB354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069541D0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1469 69541d0-69541f0 1470 69541f7-69542a4 KiUserExceptionDispatcher 1469->1470 1471 69541f2 1469->1471 1476 69542ac-69542ba 1470->1476 1471->1470 1477 69542c0-69542d7 call 6952958 1476->1477 1478 69545d2-6954604 1476->1478 1482 69542de-69542e7 1477->1482 1483 69542d9 1477->1483 1484 69545c5-69545cb 1482->1484 1483->1482 1485 69545d1 1484->1485 1486 69542ec-6954362 call 6952ad8 * 3 call 6952fd8 1484->1486 1485->1478 1495 695441e-6954478 call 6952ad8 1486->1495 1496 6954368-69543d6 1486->1496 1508 6954479-69544c7 1495->1508 1506 6954419-695441c 1496->1506 1507 69543d8-6954418 1496->1507 1506->1508 1507->1506 1513 69545b0-69545bb 1508->1513 1514 69544cd-69545af 1508->1514 1515 69545c2 1513->1515 1516 69545bd 1513->1516 1514->1513 1515->1484 1516->1515
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695429B
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e74a47b7b625d95de0ab0cb5525adc50a9b8e9a3b498241aa0c931578b242565
                                                • Instruction ID: 08d59db11604a14110e4289031a092b3406c7232292e27ec9eefd75486e7b756
                                                • Opcode Fuzzy Hash: e74a47b7b625d95de0ab0cb5525adc50a9b8e9a3b498241aa0c931578b242565
                                                • Instruction Fuzzy Hash: 16C19274E002188FDB64DFA5D994BADBBB2AB89304F2081AAD809A7354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069575F0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069576BB
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 6c371b0fcbf978aeaf27cd1bff25b15c205f2413b5ef20bec0b0ae7db8a308fb
                                                • Instruction ID: e5de6ad6865380a2fd758e97ef27db7ea79060b09287255f2999020f0b6361ea
                                                • Opcode Fuzzy Hash: 6c371b0fcbf978aeaf27cd1bff25b15c205f2413b5ef20bec0b0ae7db8a308fb
                                                • Instruction Fuzzy Hash: 2FC19374E01218CFDB64DFA5D954BADBBB2FB89304F2081A9D809AB354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06955BE0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1829 6955be0-6955c00 1830 6955c07-6955cb4 KiUserExceptionDispatcher 1829->1830 1831 6955c02 1829->1831 1836 6955cbc-6955cca 1830->1836 1831->1830 1837 6955cd0-6955ce7 call 6952958 1836->1837 1838 6955fe2-6956014 1836->1838 1842 6955cee-6955cf7 1837->1842 1843 6955ce9 1837->1843 1844 6955fd5-6955fdb 1842->1844 1843->1842 1845 6955fe1 1844->1845 1846 6955cfc-6955d72 call 6952ad8 * 3 call 6952fd8 1844->1846 1845->1838 1855 6955e2e-6955e88 call 6952ad8 1846->1855 1856 6955d78-6955de6 1846->1856 1868 6955e89-6955ed7 1855->1868 1866 6955e29-6955e2c 1856->1866 1867 6955de8-6955e28 1856->1867 1866->1868 1867->1866 1873 6955fc0-6955fcb 1868->1873 1874 6955edd-6955fbf 1868->1874 1875 6955fd2 1873->1875 1876 6955fcd 1873->1876 1874->1873 1875->1844 1876->1875
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06955CAB
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 4b4e7788b7344a9af86b0b4256529ac9f79ae6f053aca9cdf880dbcc8ca3c4fb
                                                • Instruction ID: c2f0104ab4fd070930abee477c2d5f46f7a516cd18c589539ac6346b06624a21
                                                • Opcode Fuzzy Hash: 4b4e7788b7344a9af86b0b4256529ac9f79ae6f053aca9cdf880dbcc8ca3c4fb
                                                • Instruction Fuzzy Hash: 3AC19174E002188FDB64DFA5D994BADBBB2FB89304F2081A9D809A7355DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695F3E0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695F4AB
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 9aa205bddd8098bb0f6b64ee8c263289c5b41a2a71561ce42ec8227d8230f618
                                                • Instruction ID: 2db57ed1eef91f006f4c8482b6b9d5d1140fc869b9adf0b945277c52ccc51264
                                                • Opcode Fuzzy Hash: 9aa205bddd8098bb0f6b64ee8c263289c5b41a2a71561ce42ec8227d8230f618
                                                • Instruction Fuzzy Hash: 07C1B174E012188FDB64DFA5D994BADBBB2FB89304F2081A9D809AB354DB345E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06955330 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1709 6955330-6955350 1710 6955357-6955404 KiUserExceptionDispatcher 1709->1710 1711 6955352 1709->1711 1716 695540c-695541a 1710->1716 1711->1710 1717 6955420-6955437 call 6952958 1716->1717 1718 6955732-6955764 1716->1718 1722 695543e-6955447 1717->1722 1723 6955439 1717->1723 1724 6955725-695572b 1722->1724 1723->1722 1725 6955731 1724->1725 1726 695544c-69554c2 call 6952ad8 * 3 call 6952fd8 1724->1726 1725->1718 1735 695557e-69555d8 call 6952ad8 1726->1735 1736 69554c8-6955536 1726->1736 1748 69555d9-6955627 1735->1748 1746 6955579-695557c 1736->1746 1747 6955538-6955578 1736->1747 1746->1748 1747->1746 1753 6955710-695571b 1748->1753 1754 695562d-695570f 1748->1754 1755 6955722 1753->1755 1756 695571d 1753->1756 1754->1753 1755->1724 1756->1755
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069553FB
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: da979489fe5b3361dcff26217c8902882989cf423fc6602d6e4198b8358c25c7
                                                • Instruction ID: fac807725dce47a266682363b3464f39045d51b48ebd8c708fd48926f5bf4167
                                                • Opcode Fuzzy Hash: da979489fe5b3361dcff26217c8902882989cf423fc6602d6e4198b8358c25c7
                                                • Instruction Fuzzy Hash: E3C1B274E00218CFDB54DFA5D954BADBBB2EF89304F2081A9D809A7355DB345E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695EB30 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695EBFB
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 90d865dacf14b51c373148a335f53afd217e2387dc0dd3d21226969c37575cee
                                                • Instruction ID: be079c7e6e77049541a53a7a8ff363063ea9f0189b8bb1c970df3b577963314b
                                                • Opcode Fuzzy Hash: 90d865dacf14b51c373148a335f53afd217e2387dc0dd3d21226969c37575cee
                                                • Instruction Fuzzy Hash: D7C19274E012188FDB64DFA5D994BADBBB2EF89304F2081AAD809A7354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06953920 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1349 6953920-6953940 1350 6953947-69539f4 KiUserExceptionDispatcher 1349->1350 1351 6953942 1349->1351 1356 69539fc-6953a0a 1350->1356 1351->1350 1357 6953a10-6953a27 call 6952958 1356->1357 1358 6953d22-6953d54 1356->1358 1362 6953a2e-6953a37 1357->1362 1363 6953a29 1357->1363 1364 6953d15-6953d1b 1362->1364 1363->1362 1365 6953d21 1364->1365 1366 6953a3c-6953ab2 call 6952ad8 * 3 call 6952fd8 1364->1366 1365->1358 1375 6953b6e-6953bc8 call 6952ad8 1366->1375 1376 6953ab8-6953b26 1366->1376 1388 6953bc9-6953c17 1375->1388 1386 6953b69-6953b6c 1376->1386 1387 6953b28-6953b68 1376->1387 1386->1388 1387->1386 1393 6953d00-6953d0b 1388->1393 1394 6953c1d-6953cff 1388->1394 1395 6953d12 1393->1395 1396 6953d0d 1393->1396 1394->1393 1395->1364 1396->1395
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069539EB
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 1d4f9ec718953da255d0867c3ea80372ae317d47c51887ec931f1c8050527d73
                                                • Instruction ID: 38b53f54a18ac03ace7604c9c1da7b87e3b119dc284be4883ab3d9550db2cf48
                                                • Opcode Fuzzy Hash: 1d4f9ec718953da255d0867c3ea80372ae317d47c51887ec931f1c8050527d73
                                                • Instruction Fuzzy Hash: 68C19274E00218CFDB64DFA5D954BADBBB2FB89304F2081AAD809A7355DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06958750 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695881B
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 879c0a5d127aca2ffeb219397376c0531b4ad4ee1c926aaa4815666dd9a9451b
                                                • Instruction ID: 265ce0bf4e2f5c77b51ef63af58e811a672a285cd9b258b574d36a2aa1c82918
                                                • Opcode Fuzzy Hash: 879c0a5d127aca2ffeb219397376c0531b4ad4ee1c926aaa4815666dd9a9451b
                                                • Instruction Fuzzy Hash: C6C1A174E012188FDB64DFA5D994BADBBB2FB89304F2081A9D809AB354DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06956D40 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06956E0B
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: d0045669c014359c612f27212ffa6156bd30ef719189e399c59ca1c52516df2c
                                                • Instruction ID: 3c45ceccaa9baf163488370a1b096c8b0f31ec17ff3f5991926fa26c4fe0a834
                                                • Opcode Fuzzy Hash: d0045669c014359c612f27212ffa6156bd30ef719189e399c59ca1c52516df2c
                                                • Instruction Fuzzy Hash: AEC1A174E012188FDB64DFA5D954BADBBB2BB89304F2081A9D809AB354DB359E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06953D78 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1409 6953d78-6953d98 1410 6953d9f-6953e4c KiUserExceptionDispatcher 1409->1410 1411 6953d9a 1409->1411 1416 6953e54-6953e62 1410->1416 1411->1410 1417 6953e68-6953e7f call 6952958 1416->1417 1418 695417a-69541ac 1416->1418 1422 6953e86-6953e8f 1417->1422 1423 6953e81 1417->1423 1424 695416d-6954173 1422->1424 1423->1422 1425 6953e94-6953f0a call 6952ad8 * 3 call 6952fd8 1424->1425 1426 6954179 1424->1426 1435 6953fc6-6954020 call 6952ad8 1425->1435 1436 6953f10-6953f7e 1425->1436 1426->1418 1448 6954021-695406f 1435->1448 1446 6953fc1-6953fc4 1436->1446 1447 6953f80-6953fc0 1436->1447 1446->1448 1447->1446 1453 6954075-6954157 1448->1453 1454 6954158-6954163 1448->1454 1453->1454 1455 6954165 1454->1455 1456 695416a 1454->1456 1455->1456 1456->1424
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06953E43
                                                  • Part of subcall function 06952AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 0338f46dc6497e2911a34042d54621d61936a0f28ed5c70bef8ac674221f43d5
                                                • Instruction ID: f38a672e9f0e776225a2277c5c90ce405becff0e1a9b2c85a07d2a4625a84bf8
                                                • Opcode Fuzzy Hash: 0338f46dc6497e2911a34042d54621d61936a0f28ed5c70bef8ac674221f43d5
                                                • Instruction Fuzzy Hash: 1BC1A274E00218CFDB64DFA5D954BADBBB2AB89304F2081A9D809AB754DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695E271 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695E34B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 9fed50e98e66c0c6df0264b709f69de708789b331d137c74e68adf7811661bb8
                                                • Instruction ID: be5c7a47b61b117946227c22f3f3845f25773eb9e7a5461b09581c8419c376b7
                                                • Opcode Fuzzy Hash: 9fed50e98e66c0c6df0264b709f69de708789b331d137c74e68adf7811661bb8
                                                • Instruction Fuzzy Hash: 7B410470E05208CBDB58CFAAD9506EEBBB2AF89304F20D12AC814BB254DB355A45CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069582E8 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069583C3
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 9fcfc8c41b941274208be56b169f8cfaf8507dfad6c6d5d2146dfcb8d56b8e48
                                                • Instruction ID: 85189ffac721fda34ed820695bdde63278c2e3fb6db384b58abc2ea42c6424c5
                                                • Opcode Fuzzy Hash: 9fcfc8c41b941274208be56b169f8cfaf8507dfad6c6d5d2146dfcb8d56b8e48
                                                • Instruction Fuzzy Hash: 7E41F370E01218CBDB58CFAAC9546EEBBB2AF89304F24C12AC815BB754EB345946CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069541C0 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695429B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: f8477c109288958ec3d6e080952ba424bf9e9833605ad8737fb6d5511c84d1d4
                                                • Instruction ID: 0a90b8eb4f6bd2e13b731b7fd008db1c3e398eb252441e9f62dda532eaf5d5cb
                                                • Opcode Fuzzy Hash: f8477c109288958ec3d6e080952ba424bf9e9833605ad8737fb6d5511c84d1d4
                                                • Instruction Fuzzy Hash: A841E370D01208CBDB58DFAAC85469EBBF6AF89304F24D12AC815BB354EB345986CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06957188 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06957263
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: b355754001f27c73738cc3508ba762913d954794a05e73f77c0a5efc58a992ae
                                                • Instruction ID: e804b4ed889ab0e5e940b6d15539f1bac295ff57bf9a514da960a52a189e1764
                                                • Opcode Fuzzy Hash: b355754001f27c73738cc3508ba762913d954794a05e73f77c0a5efc58a992ae
                                                • Instruction Fuzzy Hash: 8E41C570D01208CBDB58DFEAD9546EDBBB2AF89304F24D12AC815BB254DB345A46CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695DDF0 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695DECB
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: d88e10c1e0e2102f1f4ce217f428b655219b60cca9059965e17dc5cecf1ad7f9
                                                • Instruction ID: 280e0678eedf011dfdcda223675e1fce890a31fb9e69b3a3160b5a06b422652b
                                                • Opcode Fuzzy Hash: d88e10c1e0e2102f1f4ce217f428b655219b60cca9059965e17dc5cecf1ad7f9
                                                • Instruction Fuzzy Hash: 5841E470D01248CBEB18DFAAD9546EDFBB2AF89304F24D12AC814BB254DB355945CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06955778 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06955853
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 74a160d6ae06c2e6a1adba1a6767878aab13befbb196956dd2bb14073618a62a
                                                • Instruction ID: 7145433f2d24a1f0dd4e76ab56a82aabf9fb71240675705ea698a2816ab9ac58
                                                • Opcode Fuzzy Hash: 74a160d6ae06c2e6a1adba1a6767878aab13befbb196956dd2bb14073618a62a
                                                • Instruction Fuzzy Hash: 4F41D270E01208CBEB58DFAAD8546EEBBF2AF89304F21D12AC414AB255EB344946CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069568D8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069569B3
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 55c61031291bfa231073cae29faad0d13095154ef5c0c4e2a16cd8fa62b9a769
                                                • Instruction ID: 1d9ca393eb65d756a0926c2a0eb2e8fc5c9c54ea1c7a7068daeb66247900d58d
                                                • Opcode Fuzzy Hash: 55c61031291bfa231073cae29faad0d13095154ef5c0c4e2a16cd8fa62b9a769
                                                • Instruction Fuzzy Hash: 1941B570E01248CBDB58DFAAD9546EEFBB2AF89304F24D12AC815BB264DB345946CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06954619 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069546F3
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e278b5c6e6a6b2b0a9af2a2f415d4da0556b29c2755cc71f5f437e10901db2ab
                                                • Instruction ID: d603c1ca4af6a8b3c89dddc25df974f42d3d034627c583ac7995f617eda14c43
                                                • Opcode Fuzzy Hash: e278b5c6e6a6b2b0a9af2a2f415d4da0556b29c2755cc71f5f437e10901db2ab
                                                • Instruction Fuzzy Hash: 8641C570E01208CFDB58CFAAD9946EEBBF2AF99304F24D12AC415BB254EB345945CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695F828 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695F903
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: d635039831d20fc4cd4ec4be198d55a5c18be7cebad7b36dedf2cc33071d72c2
                                                • Instruction ID: aa79f6e60358955abe77d0a684d6af3f8d7f847345ace217a01c141ff65bc022
                                                • Opcode Fuzzy Hash: d635039831d20fc4cd4ec4be198d55a5c18be7cebad7b36dedf2cc33071d72c2
                                                • Instruction Fuzzy Hash: F841F570E01248CBEB58DFAAD8946DEFBB2AF89304F20D12AC815BB254DB344946CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695EB20 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695EBFB
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 96ec6644df421ee293986373d15ff93871a26643cb68b81215a2fad51a04c93f
                                                • Instruction ID: 595da87dc4e90c1302a92e53a46b29619371eda5f5674155e854f40f17195e99
                                                • Opcode Fuzzy Hash: 96ec6644df421ee293986373d15ff93871a26643cb68b81215a2fad51a04c93f
                                                • Instruction Fuzzy Hash: AD41E370E012088BEB58DFBAD8546EEBBF2AF89304F24D12AC815AB254EB354945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069534B8 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06953593
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: cc42e2c9cf5867eab7a5058bd7f31daa5bba673c0fd8de7df483af48c2e23d6d
                                                • Instruction ID: 0b3e14ea3268804cb087793600b590cc5bbd9417af069cc23906e9c3583488e8
                                                • Opcode Fuzzy Hash: cc42e2c9cf5867eab7a5058bd7f31daa5bba673c0fd8de7df483af48c2e23d6d
                                                • Instruction Fuzzy Hash: BF41E370E01208CFEB58CFAAD8546AEBBB2BF89304F24D12AC415BB254EB355946CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06954EC8 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06954FA3
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: c3a1c23e220f0aabd2f8a151209f5fffc3ab2c6a298ce4189bc159d64a9049c0
                                                • Instruction ID: b3b9ad46cf67bd927fdaceccbdad6d47eb5252f37b1b8481516b2bb5aeb9c409
                                                • Opcode Fuzzy Hash: c3a1c23e220f0aabd2f8a151209f5fffc3ab2c6a298ce4189bc159d64a9049c0
                                                • Instruction Fuzzy Hash: C041F770D01208CBDB58DFAAD8546DEFBF2AF89304F24C12AC814BB254EB345946CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695E6C8 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695E7A3
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: d67143980096c0be66fb686ed8cc7286af00b262dabd3056918ce59ce46cf7e2
                                                • Instruction ID: 67eeae42b99e331a116cf794e0b13a38d7613428f98d31002ec1b52f66107228
                                                • Opcode Fuzzy Hash: d67143980096c0be66fb686ed8cc7286af00b262dabd3056918ce59ce46cf7e2
                                                • Instruction Fuzzy Hash: E6412570D01248CBDB18DFBAD8906DEFBB2AF88300F24D12AC814BB254EB354A46CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06957A3A Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06957B13
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: ab7185925ef623e3c0e7dfa090d7acea523299e80c21a20659dc32589e79d5ee
                                                • Instruction ID: b606e710c771fe5c13d63229f0693e09fdaeca4c0ddd82babb7e3b4ba20e6e77
                                                • Opcode Fuzzy Hash: ab7185925ef623e3c0e7dfa090d7acea523299e80c21a20659dc32589e79d5ee
                                                • Instruction Fuzzy Hash: F541E570D01208CBDB58DFEAD8546EEFBB2AF89304F20D12AC415AB264EB345A46CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695602A Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06956103
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 05a2597d2686fce0bb4796954d9e45b7f6aaf4f53fe5c8036894032a5ce6c5b0
                                                • Instruction ID: 329d2fc78b3ae96d25c568cee0cdc13fa82000c5a9e302c53d259a697f24bbc0
                                                • Opcode Fuzzy Hash: 05a2597d2686fce0bb4796954d9e45b7f6aaf4f53fe5c8036894032a5ce6c5b0
                                                • Instruction Fuzzy Hash: F441E370E01208CBDB58DFAAD9546EEFBB2AF89304F24D12AC815BB265DB344946CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06953062 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695313B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 8200147c2ac946e049b17095dacf2313962571e6c737245e4d763e3bad3abd39
                                                • Instruction ID: 521e53d0d8c8bc5a2a9cb23d80d637d0a40b8cfe747f75cdb72169f17a3cd591
                                                • Opcode Fuzzy Hash: 8200147c2ac946e049b17095dacf2313962571e6c737245e4d763e3bad3abd39
                                                • Instruction Fuzzy Hash: 2E41E170E01208CBEB58CFBAD8546AEFBB2AF89304F24D12AC814BB254EB355945CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695F3D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695F4AB
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 4251a6a68f713de5487549b70017294e8e9dd92812e272fb59b093ecdbb07f1e
                                                • Instruction ID: 25f1c9d9df59e3662f066416951d1b53527f7165d662e526c1a342f1456dcff2
                                                • Opcode Fuzzy Hash: 4251a6a68f713de5487549b70017294e8e9dd92812e272fb59b093ecdbb07f1e
                                                • Instruction Fuzzy Hash: 2341C270E01208CBEB58DFBAD9546AEFBB2AF89314F20D12AC815AB254EB344945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 069575E0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069576BB
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 673c16ec35e2104d191e48113c751e70c6fc63df1e35eeca16629422a5b4068a
                                                • Instruction ID: bfd747e81f28dfa706cf9dc4f53d8d64dbadd527dddf8df97dfc74784896f6d5
                                                • Opcode Fuzzy Hash: 673c16ec35e2104d191e48113c751e70c6fc63df1e35eeca16629422a5b4068a
                                                • Instruction Fuzzy Hash: 2441D270E01208CBEB58DFAAD8546AEBBB2AF89304F24D12AC815BB254DB345945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06953910 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069539EB
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 0a9f854a7cdb5014b2b44b480198573829cfa037cf0f25261443f494927d36f3
                                                • Instruction ID: 4ccd204b58bde069f13c4b1cb4802a94a8edcd52d2de42a45105c36f7c4f7310
                                                • Opcode Fuzzy Hash: 0a9f854a7cdb5014b2b44b480198573829cfa037cf0f25261443f494927d36f3
                                                • Instruction Fuzzy Hash: 3041D270E01208CBEB58DFBAD9546DEBBB6AF89344F24D12AC818BB254EB345945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06956D36 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06956E0B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 90fef762df778489e32b00d3c9312b716904f757cbb74bb9a95ea116b630df67
                                                • Instruction ID: 21471279d3ca80ce4328a16fcab73fd7dfcdf7bfc8cddb1cc7e1bf2d23e0ee06
                                                • Opcode Fuzzy Hash: 90fef762df778489e32b00d3c9312b716904f757cbb74bb9a95ea116b630df67
                                                • Instruction Fuzzy Hash: B441B470D01248CBDB58DFBAD9546EEBBF2AF89304F24D12AC415BB254EB344945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06955321 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 069553FB
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 8a0043bec62989a12d6b6fefcd630e8982dd0b5e910466fe41681a1ac030d50b
                                                • Instruction ID: 6c46b21851a3423f46692d23b8330790adbb6d8692f9deb083e04496589020fd
                                                • Opcode Fuzzy Hash: 8a0043bec62989a12d6b6fefcd630e8982dd0b5e910466fe41681a1ac030d50b
                                                • Instruction Fuzzy Hash: 9841F470E01208CBEB58DFBAD8546EEBBF2AF89304F25D12AC814BB255EB345945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06958741 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695881B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 5c51da0f6cc1475515dee6f203f2150f326b774936be9b301ae55efddc6b5859
                                                • Instruction ID: f3b4bfef80e2b150b9a07b666412bbca9edd7e945b652e3d59d5a98906bcf5af
                                                • Opcode Fuzzy Hash: 5c51da0f6cc1475515dee6f203f2150f326b774936be9b301ae55efddc6b5859
                                                • Instruction Fuzzy Hash: 5341D470E01218CFEB58DFAAD9546ADBBF2BF89304F24D12AC818BB254EB355945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695EF79 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695F053
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 1cdbca392c7b46bd9ed50d54f8d60dae05c97cc0ce822a058e7f4c8ce87b8f9b
                                                • Instruction ID: 77e675dcadab315fa68c6e4c6f93e7383fc8d92b9860d3c2d8e72128fa4c3693
                                                • Opcode Fuzzy Hash: 1cdbca392c7b46bd9ed50d54f8d60dae05c97cc0ce822a058e7f4c8ce87b8f9b
                                                • Instruction Fuzzy Hash: A241F570D012488BEB58DFBAD9546AEFBB2AF89304F24D12AC815BB254EB345945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06953D68 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06953E43
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 3fb97e85ab56c76fc604743fb4e06a670c7f42ec4e0087a40ae95d987bf28e71
                                                • Instruction ID: 5b0efe04b0de6da515f3979b6706851f3caa422e06053c57e15ae74023a18676
                                                • Opcode Fuzzy Hash: 3fb97e85ab56c76fc604743fb4e06a670c7f42ec4e0087a40ae95d987bf28e71
                                                • Instruction Fuzzy Hash: D941E570D01208CBEB58CFAAD8546AEFBF2AF99304F24D12AC815BB254EB345946CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06957E90 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06957F6B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 94a47867f64add253ab518a70d123e9500c95032325c094910280a0616a7850c
                                                • Instruction ID: a89f94bddd42a6901b147d97152862941c2a1beac359a8fb1a3038c09105c989
                                                • Opcode Fuzzy Hash: 94a47867f64add253ab518a70d123e9500c95032325c094910280a0616a7850c
                                                • Instruction Fuzzy Hash: B741D270E01608CBEB58DFAAD9546EEBBB2BF89304F24D12AC814BB264DB345945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06956482 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0695655B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 3a7e062b175f13fe1ef10f697322df019b30a65e1eec3b8af352037d387cbd36
                                                • Instruction ID: 57f6ee8d44e6f1f068a68ee03ab2149eba87942f59b047182abaf18a41340d8b
                                                • Opcode Fuzzy Hash: 3a7e062b175f13fe1ef10f697322df019b30a65e1eec3b8af352037d387cbd36
                                                • Instruction Fuzzy Hash: AC41D670D01208CBDB58CFAAD9546EEBBF2AF89304F24D12AC414BB269DB345946CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06954A70 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06954B4B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 199029c8e623a51b9cf6dd59368126c7500c016992396e6f41d24f26d225bbaa
                                                • Instruction ID: 94d8aa610a9a3be7f3f90632adf8d46ba39594483a3008bdd87565aa7f7102a2
                                                • Opcode Fuzzy Hash: 199029c8e623a51b9cf6dd59368126c7500c016992396e6f41d24f26d225bbaa
                                                • Instruction Fuzzy Hash: 7641E470E01248CBDB58DFAAD8546EEBBF2AF89304F24D12AC815BB354EB344985CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06955BDA Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 06955CAB
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 3d966db68bde4787973c103bd71ddf491bff8cb3b8797ae229b8d8d5d247888c
                                                • Instruction ID: f460f7e01b50af1e568b48f05579d31bcc4e70bf1c69ff192249c16954195e66
                                                • Opcode Fuzzy Hash: 3d966db68bde4787973c103bd71ddf491bff8cb3b8797ae229b8d8d5d247888c
                                                • Instruction Fuzzy Hash: CA41E470E01208CBDB58DFAAD95469EBBB2BF89304F21D12AC814BB255EB344945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016BE758 Relevance: .5, Instructions: 478COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2006be056d9f7eeb1886f0ac76af5a6723a6cd79a8635622ea7a6c9dc8b40ad
                                                • Instruction ID: 46a9fe9fcc899719dca4b990208fbfa3c40ddcaf0f4ecfd877909c7c91ad4684
                                                • Opcode Fuzzy Hash: b2006be056d9f7eeb1886f0ac76af5a6723a6cd79a8635622ea7a6c9dc8b40ad
                                                • Instruction Fuzzy Hash: ED122874E012188FDB14DFB9C9947EDBBB2AF89304F2481AAC409A7395DB359D85CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B6B88 Relevance: .4, Instructions: 357COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e01c3340119689784b692a4ff5c5dc76fe6c18ced71bfc13ab41913d5c833d92
                                                • Instruction ID: d25fc3b7d04661eb283ce4c1697252681a6e7bcedf4fe0f91e63fe54580a9d5d
                                                • Opcode Fuzzy Hash: e01c3340119689784b692a4ff5c5dc76fe6c18ced71bfc13ab41913d5c833d92
                                                • Instruction Fuzzy Hash: 10F1C2B4E012188FDB14DFA9C884BDDFBB6BF88304F1481A9D809AB395DB749985CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B7196 Relevance: .3, Instructions: 344COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5142876becba7bbc1d4cc65b1b4f859c7c44b09b8656427d918072186ab0f14
                                                • Instruction ID: 3fd957a45d9c8605186a631be7b6520591d80ac6b3d67483b21d720bcc0e8b6c
                                                • Opcode Fuzzy Hash: e5142876becba7bbc1d4cc65b1b4f859c7c44b09b8656427d918072186ab0f14
                                                • Instruction Fuzzy Hash: B3F10574D01218CFDB19CFA4D994B9DBBB2FF89304F2091AAD409AB2A5D7359E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B7F68 Relevance: .3, Instructions: 276COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c253ea8a0010762a5ede39841c39649ec0a4bee7ae02829bc28d542911b7ad84
                                                • Instruction ID: df0d401bbb5a0dcf2796d466fbf85bc159ee7e3bf14fc05f565d0b42ebcd7b14
                                                • Opcode Fuzzy Hash: c253ea8a0010762a5ede39841c39649ec0a4bee7ae02829bc28d542911b7ad84
                                                • Instruction Fuzzy Hash: A4D1C274E01218CFDB24DFA5D994BADBBB6FB89304F2081AAD409A7354DB349E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016BFB30 Relevance: .3, Instructions: 274COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ddcff4bae8e3345e407aac0523fbd03274638bfa43b4aa0d4668c7a1da211817
                                                • Instruction ID: 46b43126b851a76ae8d9a4b977623c8ee0b5f28da628b6157b80e8210fbbe92c
                                                • Opcode Fuzzy Hash: ddcff4bae8e3345e407aac0523fbd03274638bfa43b4aa0d4668c7a1da211817
                                                • Instruction Fuzzy Hash: 73C1B274E012188FDB24DFA5D994BADBBB2FF89304F2081A9D809AB355DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B7B08 Relevance: .3, Instructions: 273COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63096fc1adeaf0fe520e442e6e8ccc2aa7c36d304fd607bf3b4bd45774cebd10
                                                • Instruction ID: fc5c0ede6b57a56a1267adb870b27f06de654d2bc2b07930a7079eda14a49cf9
                                                • Opcode Fuzzy Hash: 63096fc1adeaf0fe520e442e6e8ccc2aa7c36d304fd607bf3b4bd45774cebd10
                                                • Instruction Fuzzy Hash: 14D1A174E01218CFDB24DFA5D994BADBBB2FB89304F2081AAD809A7355DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016BF280 Relevance: .3, Instructions: 273COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aeb6959731fdaace474193565768ee5189f5726a1cf686df6366ca3578eb2176
                                                • Instruction ID: a02dba2b377efde4509f709a6867fde82fc438e5355696263ca438327516b412
                                                • Opcode Fuzzy Hash: aeb6959731fdaace474193565768ee5189f5726a1cf686df6366ca3578eb2176
                                                • Instruction Fuzzy Hash: 74C1A274E01218CFDB64DFA5D994BADBBB2FB89304F2081A9D809AB355DB345E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016BEE28 Relevance: .3, Instructions: 273COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fad15dd7c8c3b4862b6f37cbac621a70ba77d93773349acca315265a486a6933
                                                • Instruction ID: 8f473bd61a6040bfbf070af486eede6676b88ced8201583849dd934f240d39f4
                                                • Opcode Fuzzy Hash: fad15dd7c8c3b4862b6f37cbac621a70ba77d93773349acca315265a486a6933
                                                • Instruction Fuzzy Hash: BFC1B174E00218CFDB64DFA5D994BADBBB2BB89304F2081A9D809AB355DB355E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016BF6D8 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 583fc102b4acfb5d4c86521eef18c11757d4d97ab41c45327e651e9132464a4b
                                                • Instruction ID: 1eb9138901e0bb17a837743f60986fb32fce9d85b588e2a76dac0b61ef5f6142
                                                • Opcode Fuzzy Hash: 583fc102b4acfb5d4c86521eef18c11757d4d97ab41c45327e651e9132464a4b
                                                • Instruction Fuzzy Hash: 9BC1B174E00218CFDB64DFA5D994BADBBB2FB89304F2081A9D809AB355DB345E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B76A8 Relevance: .3, Instructions: 271COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a395098e028b40965d7e47c84f9c9cef2318d410ae5cecaa7320bd796f397475
                                                • Instruction ID: d422fa312ff0839bc879b4dc01be107385a73d8eba68e894edda9851d955bcee
                                                • Opcode Fuzzy Hash: a395098e028b40965d7e47c84f9c9cef2318d410ae5cecaa7320bd796f397475
                                                • Instruction Fuzzy Hash: F9C1B174E01218CFDB64DFA5D994BADBBB2BB89304F2081AAD809A7355DB345E85CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B66E8 Relevance: .2, Instructions: 221COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7b135c074408badf01fa8ebbae015b2ebcbaa2422f160debaf21b610016a39ca
                                                • Instruction ID: 385376d2194016bb4ef7015f2cd201259e8087e5dacfba6bb30f7232fd022922
                                                • Opcode Fuzzy Hash: 7b135c074408badf01fa8ebbae015b2ebcbaa2422f160debaf21b610016a39ca
                                                • Instruction Fuzzy Hash: 15A1E170A012188FEB24DFA9C984BDDBBB1BF89304F209269D409AB391DB759985CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B66F8 Relevance: .2, Instructions: 220COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ac65f1b464ac8cb31a48d42e7078e0d93a90148db5722f54f3e8a0f1cda6134
                                                • Instruction ID: d116d627bd25be71ef7da7bad5a39c112750d58d7a541e1bf6719b65e063cce1
                                                • Opcode Fuzzy Hash: 3ac65f1b464ac8cb31a48d42e7078e0d93a90148db5722f54f3e8a0f1cda6134
                                                • Instruction Fuzzy Hash: CCA1E2B0D01218CFEB24DFA9C984BDDBBB1BF89304F209269D509AB391DB749985CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B6A3E Relevance: .2, Instructions: 202COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a84fbdc900c64d4d62e540e0b07c0cb9aac8a86502b99775819594f00307a94
                                                • Instruction ID: b36032eea3e4e6a69cf956d9aa87f1070b1c8b7a4cd5c4e4e5c16f6d5272abda
                                                • Opcode Fuzzy Hash: 6a84fbdc900c64d4d62e540e0b07c0cb9aac8a86502b99775819594f00307a94
                                                • Instruction Fuzzy Hash: D991E070A01218CFEB24DFA9C884BDDBBB1FF49314F209269E509AB391DB759985CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B3450 Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 016B3506
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: f68fd04c99f97c4ecc5cefaa4c9817fb357de93598ddaa6e999e56d5edb24658
                                                • Instruction ID: 2f2d68163b0ea66b14346d161c755b888babfb36c87a1c6da7ae0d2ea6ff7f57
                                                • Opcode Fuzzy Hash: f68fd04c99f97c4ecc5cefaa4c9817fb357de93598ddaa6e999e56d5edb24658
                                                • Instruction Fuzzy Hash: 9251EE34462742DFC3386F60AAAD1BABBB1FB4F313766BC10E45B92148DB74025A8F11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B3460 Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 016B3506
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e8317501120c6a51ed49188acfc70621a055f1e57ee20d3308fb9b41cb7b87a0
                                                • Instruction ID: 557a5b8304fffc1c90edc6b2f712f6ccad794e978ebee1bbe2ffe17b473d7dc3
                                                • Opcode Fuzzy Hash: e8317501120c6a51ed49188acfc70621a055f1e57ee20d3308fb9b41cb7b87a0
                                                • Instruction Fuzzy Hash: 7651EF34462742DFC3382F61AAAD1BEBBB5FB4F313762BC10E41B920088B74025A8F11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06952AD8 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06952C3A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e525314950fa953434af2511290330840f43b9feba36b5370c207c435fad54b3
                                                • Instruction ID: 389979ab11a2dba8b66a28249efe98dcfad69ef1ed7a09c663442f1d26b52f4d
                                                • Opcode Fuzzy Hash: e525314950fa953434af2511290330840f43b9feba36b5370c207c435fad54b3
                                                • Instruction Fuzzy Hash: B55103B0D00218CFDB18DFAAD8846DEBBB2BF89314F10C529D815AB294DB749945CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06952C73 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 081dc3940413b6da95a036ef158d488708a9798a4fcc819d0c67ce5c153f08b8
                                                • Instruction ID: ee29ef6a347c673a3f8f419654e32f02f60ddc1bc9a9b6ce9cb48fb66cdbd496
                                                • Opcode Fuzzy Hash: 081dc3940413b6da95a036ef158d488708a9798a4fcc819d0c67ce5c153f08b8
                                                • Instruction Fuzzy Hash: AA5120B4D00208CFDF54DFA9D4846EDBBB2BF09324F21852AE819BB690D7349A85CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06952F2C Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb8066c26aec0e812b6236527f6c86436c45e4fbfbafd04f7e5bfa9d5085d748
                                                • Instruction ID: c047f1bca2051bf3e5362aea307f61d4dbb08eca8b79d56c2f1d4b530a582d3e
                                                • Opcode Fuzzy Hash: bb8066c26aec0e812b6236527f6c86436c45e4fbfbafd04f7e5bfa9d5085d748
                                                • Instruction Fuzzy Hash: A8416D74904109CFCB14CFA8D4809EDFBB6FF48314F669259D819AB795C731AA8ACF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06952ECC Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62da9d05b64b383edd8f6e8bfd3f526469a82898e118d2c4154e4bf592a8de6d
                                                • Instruction ID: 1fcd8e3177a57797b0dec3ae026be957f1f06958436cdb551d6b45af9515d438
                                                • Opcode Fuzzy Hash: 62da9d05b64b383edd8f6e8bfd3f526469a82898e118d2c4154e4bf592a8de6d
                                                • Instruction Fuzzy Hash: 78411874E04109CFDB54CFA8E484AECF7B6FF48314F258159E809A7695C731AA8ACF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06952D81 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 87767b222b334b919c95fda2dbffe12cd28a98ff50ff8fd79c43a7cca8ac3a22
                                                • Instruction ID: a0614e3e015b52a76338946e39c526ebe5d8be872028d12fc520651366f6a989
                                                • Opcode Fuzzy Hash: 87767b222b334b919c95fda2dbffe12cd28a98ff50ff8fd79c43a7cca8ac3a22
                                                • Instruction Fuzzy Hash: E8414CB4E001099FDB14CF99D584AEDFBB6BF88304F258159D80967785C731AA8ACF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161D4F0 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560215138.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_161d000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9bf0cba32a2496605ee1b5f9b4795b04bc74e508cee6b846030f76e17c6e7209
                                                • Instruction ID: 1fd6361e614990e6e542b1263b1f944cc13b4f7c822703382ba9e366e4444da3
                                                • Opcode Fuzzy Hash: 9bf0cba32a2496605ee1b5f9b4795b04bc74e508cee6b846030f76e17c6e7209
                                                • Instruction Fuzzy Hash: 2A2125B1504240DFDB05DF54DDC4B26BF65FB88328F288569E8060B70AC336D95ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0162D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560277567.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_162d000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a5fd55ef32b3cd8a7d639576b53a7f84a17bded93c17ea2a3153e6d260e99b7
                                                • Instruction ID: dda63d0629d1867f39ed401c398088eb2b33244e10094ae054c4e102ea8a74be
                                                • Opcode Fuzzy Hash: 7a5fd55ef32b3cd8a7d639576b53a7f84a17bded93c17ea2a3153e6d260e99b7
                                                • Instruction Fuzzy Hash: 74212271604640DFCB11CF54DDC0B16BB61FB88354F24C969D80A0B7A6C33AD84BCBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0162D006 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560277567.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_162d000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0106ef65bc7319316cab996adce34ced29937dfe5d9cffc4985d4a67c08405d
                                                • Instruction ID: 0036f6296a6e41f11cc71510c33b87f48fc137fa157b6f02be9dd4f4c07783f6
                                                • Opcode Fuzzy Hash: e0106ef65bc7319316cab996adce34ced29937dfe5d9cffc4985d4a67c08405d
                                                • Instruction Fuzzy Hash: 142180754087809FCB02CF24D994B15BF71EB46314F28C5DAD8458B6A7C33A9856CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161D4EB Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560215138.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_161d000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5e0b608e762b73065f3240f20cc597103337480dfea35710c9739bf98176558
                                                • Instruction ID: a6f7afb58ed5af5820d6f9c6e958368caf84f49508be57a12a92e717370fb8ed
                                                • Opcode Fuzzy Hash: a5e0b608e762b73065f3240f20cc597103337480dfea35710c9739bf98176558
                                                • Instruction Fuzzy Hash: AC11BE76404280CFDB16CF54D9C4B1ABF71FB88324F2886A9D8050B61BC33AD55ACBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 016B4AA8 Relevance: .6, Instructions: 596COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.560418816.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_16b0000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1a729c3f31f20117c92f9d07b3bcaa7c69aceacfbcc81c154967454f619df244
                                                • Instruction ID: 89db0dfff1f90344fb845c6258f165b819d93b8ed7dd348926bbc3c58ede5c09
                                                • Opcode Fuzzy Hash: 1a729c3f31f20117c92f9d07b3bcaa7c69aceacfbcc81c154967454f619df244
                                                • Instruction Fuzzy Hash: 7F52AC74A012288FDB64DF69C984BEDBBB2BF89305F1081EAD409A7354DB359E85CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695C020 Relevance: .2, Instructions: 222COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f1b140f0e1d3bde59eecd7546b36a93169d29e22008cf6205265a078be7929f
                                                • Instruction ID: 8c61e32b08fa3edee11f76b5668ae5aa451605c6e8d5a6f4a8ff98f3c37a97c2
                                                • Opcode Fuzzy Hash: 8f1b140f0e1d3bde59eecd7546b36a93169d29e22008cf6205265a078be7929f
                                                • Instruction Fuzzy Hash: E4B1B574E00218CFDB54DFA9D894A9DBBB2FF89304F2081A9D819AB365DB34AD45CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695C00F Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ff16eeb17e4021fc83c1292853ca1af16c946724b8f6171126111e4b2afd8ac
                                                • Instruction ID: 419ee18fa23b22a135ea5843fad3a0ee5c8efc1b8f80f6fe4fa14e52db862ac3
                                                • Opcode Fuzzy Hash: 6ff16eeb17e4021fc83c1292853ca1af16c946724b8f6171126111e4b2afd8ac
                                                • Instruction Fuzzy Hash: B3516274E00608CFDB48CFAAD994A9DBBF2FF89300F259169D819AB365DB349941CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0695C336 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.563072376.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6950000_l9qmoY93Ed.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 85dd9465f647a1ca791f13ea3c599f8bac092379a6f32be007a3753950d3dd51
                                                • Instruction ID: 5ac1eecc8303e624e470ff2544ed9d2ca897b8e8e6aa38ccc1df1e0f63738438
                                                • Opcode Fuzzy Hash: 85dd9465f647a1ca791f13ea3c599f8bac092379a6f32be007a3753950d3dd51
                                                • Instruction Fuzzy Hash: 80D09E74D04259CACF10DF65DD503EDB372BB96200F0565D9841DB3650DB305E988F86
                                                Uniqueness

                                                Uniqueness Score: -1.00%